Well, it’s almost exactly as you posted above. I can only try to transform it into a simple step-by-step tutorial for a Windows environment.
Prerequisites:
- download and install the latest GPG4Win binaries gpg4win.org/download.html. Only the base component (GnuPG 2.0.x) is necessary;
- AUTH RSA-key stored into your smart-card (see CryptoStick Installation Guide crypto-stick.com/start | 2. Initialize the Crypto Stick).
- Plug-in your CryptoStick. Open command prompt and execute:
gpgsm --gen-key -o [your_csr_filename].pem
Output:
Please select what kind of key you want:
(1) RSA
(2) Existing key
(3) Existing key from card
Your selection?
Select 3
Serial number of the card: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Available keys:
(1) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OPENPGP.1
(2) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OPENPGP.2
(3) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OPENPGP.3
Your selection?
AUTH key is OPENPGP.3, so select 3 again.
Then enter a desired info about your certificate into the prompted fields (see gpgsm manual for more info):
[code]
Possible actions for a RSA key:
(1) sign, encrypt
(2) sign
(3) encrypt
Your selection? 1
Enter the X.509 subject name: CN=John Doe
Enter email addresses (end with an empty line):
john.doe@neverland.com
Enter DNS names (optional; end with an empty line):
Enter URIs (optional; end with an empty line):
Parameters to be used for the certificate request:
Key-Type: card:OPENPGP.3
Key-Length: 1024
Key-Usage: sign, encrypt
Name-DN: CN=John Doe
Name-Email: john.doe@neverland.com
Really create request? (y/N) y[/code]
Enter your User PIN.
Now creating certificate request. This may take a while ...
gpgsm: about to sign CSR for key: &XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
gpgsm: certificate request created
Ready. You should now send this request to your CA.
Now you have your certificate signing request stored into [your_csr_filename].pem file.
-
You can send this file or copy-paste its contents to your CA to sign (e.g. CACert, StartSSL etc.) or self-sign it by using OpenSSL (there are plenty articles about how to do it on the Internet). As a result you’ll get your personal signed certificate in PEM format [your_personal_cert].pem or [your_personal_cert].crt.
-
Import your personal certificate into your smart-card. It can be done by using either GnuPG 2 or OpenSC.
ATTENTION: CryptoStick supports personal certificates in DER (binary) format only. You have to convert your PEM file first by using OpenSSL, online converters (e.g. sslshopper.com/ssl-converter.html), Mozilla Firefox plug-in (addons.mozilla.org/ru/firefox/addon/cert-viewer-plus/) or inquire your CA to deliver your certificate in DER format.
Using GnuPG 2: plug-in your CryptoStick, open command prompt and execute
gpg2 --card-edit
In the prompt “gpg/card>” enter hidden command
writecert 3 < [your_cert_in_DER_format_filename].crt* there is also a hidden command “readcert 3 > mycert.crt” to export your personal X.509 certificate from a smart-card to a file.
Then type “quit” and press Enter.
Using OpenSC: download and install the latest OpenSC binaries, plug-in your CryptoStick, open command prompt and execute
pkcs15-init --store-certificate [your_cert_in_DER_format_filename].crt --id 3
Enter Admin PIN. The END.
Now you can use your existing AUTH RSA private key and personal X.509 certificate to sign/encrypt your e-mail, or to authenticate on respective web-sites, OpenVPN servers etc. using PKCS#11 and your CriptoStick only (or OpenPGP mini-driver for Microsoft IE, Google Chrome etc. – see crypto-stick.com/en/applications).
