gpgsm: create cert for client authentication with single batch command
Fabian Peter Hammerle
fabian.hammerle at gmail.com
Sat May 20 19:06:32 CEST 2017
Hi,
I would like to use gpgsm to create x509 certificates for HTTPS client authentication.
Currently I follow these steps:
1. create RSA key
$ gpgsm --gen-key --batch <<EOF
> Key-Type: RSA
> Key-Length: 2048
> Name-DN: CN=temporary to create key
> EOF
2. determine keygrip in ~/.gnupg/private-keys-v1.d
3. create / sign cert
$ gpgsm --gen-key --batch --output cert.der <<EOF
> Key-Type: RSA
> Key-Grip: [keygrip determined in step 2]
> Key-Usage: sign
> Serial: random
> Name-DN: CN=client
> Hash-Algo: SHA256
> Subject-Key-Id: [keygrip determined in step 2]
> Issuer-DN: CN=my ca
> Signing-Key: [keygrip of CA]
> Authority-Key-Id: [keygrip of CA]
> Extension: 2.5.29.19 c 3003010100
> # X509v3 Extended Key Usage:
> # TLS Web Client Authentication
> Extension: 2.5.29.37 n 300A06082B06010505070302
> EOF
generated cert in gpgsm:
> ID: 0xC5F39AEF
> S/N: 3956F9C7E8AC6D90
> Issuer: /CN=my ca
> Subject: /CN=client
> validity: 2017-05-20 16:44:33 through 2063-04-05 17:00:00
> key type: 2048 bit RSA
> key usage: digitalSignature nonRepudiation
> ext key usage: clientAuth (suggested)
> fingerprint: A7:D1:FE:1C:FA:CD:0B:EE:2F:05:B5:4B:2D:4E:89:DD:C5:F3:9A:EF
> keygrip: [keygrip determined in step 2]
> [certificate is good]
$ openssl x509 -inform der -in cert.der -text -outform pem -out cert.pem
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 4131764345156431248 (0x3956f9c7e8ac6d90)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=AT, CN=Fabian Peter Hammerle
> Validity
> Not Before: May 20 16:44:33 2017 GMT
> Not After : Apr 5 17:00:00 2063 GMT
> Subject: CN=client
> Subject Public Key Info:
> [...]
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Extended Key Usage:
> TLS Web Client Authentication
> X509v3 Subject Key Identifier:
> [keygrip determined in step 2]
> X509v3 Authority Key Identifier:
> keyid:[keygrip of CA]
>
> X509v3 Key Usage: critical
> Digital Signature, Non Repudiation
> Signature Algorithm: sha256WithRSAEncryption
> [...]
$ openssl verify -verbose cert.pem
> cert.pem: OK
My problem:
Currently I have to call gpgsm twice in order to set the Subject Key Identifier extension.
In the first step I don't know the keygrip yet, so I can't set:
> Subject-Key-Id: 12345...CDEF
Can I tell gpgsm to set the Subject Key ID according to the newly created RSA key?
I am looking for a solution like:
$ gpgsm --gen-key --batch --output cert.der <<EOF
> Key-Type: RSA
> Key-Length: 2048
> Key-Usage: sign
> Serial: random
> Name-DN: CN=client
> Hash-Algo: SHA256
> Subject-Key-Id: magic-keyword
> Issuer-DN: CN=my ca
> Signing-Key: [keygrip of CA]
> Authority-Key-Id: [keygrip of CA]
> Extension: 2.5.29.19 c 3003010100
> # X509v3 Extended Key Usage:
> # TLS Web Client Authentication
> Extension: 2.5.29.37 n 300A06082B06010505070302
> EOF
I would prefer creating the cert in a single step.
Fabian
--
fabian.hammerle.me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20170520/bac807ef/attachment.sig>
More information about the Gnupg-users
mailing list