Can I use my Microsoft Outlook S/MIME certificate with gpgsm.exe ?

Dan Bryant dkbryant at gmail.com
Thu Mar 14 23:20:03 CET 2019


Thanks,  I checked the following per your advice

1. Are any of the certs ECC?

No, they all appear to be RSA keys.

2. Has the org root cert been imported?

I believe so, yes.  There are three certs in the chain.  My s/MIME
cert, it's parent, and its "grandparent".  Both gpgsm and the Windows
Cert Manager show only three certs in the chain.  The same three certs
that show up in Windows Cert Manager show up in gpgsm.

When I listed the cert chain with validation I got a lot of CRL
errors.  I tried to import the CRLs listed in the certs, but it
appeared to fail.  I will also not that I have not added any LDAP
servers.  I would prefer to be able to do the signing "offline" when
I'm not on my corporate network.

I also don't think my company will allow me to store password data in
cleartext in the dirmngr_ldapservers.conf file.  If there is anyway to
encrypt this data with a master password, that would be prefered.

Here's a list of commands I tried to hopefully shed some light on my config

$ gpgsm --verbose --with-validation --list-chain 0x64208E9A
[REDACTED]\AppData\Roaming\gnupg\pubring.kbx
---------------------------------------------------
           ID: 0x64208E9A
           <clip>
Certified by
           ID: 0x2731A14E
           <clip>
Certified by
           ID: 0x0B9BC7C1
           <clip>

wc -l "[REDACTED]\AppData\Roaming\gnupg\dirmngr_ldapservers.conf"
0 [REDACTED]\AppData\Roaming\gnupg\dirmngr_ldapservers.conf

$ gpgsm -a --export 0x64208E9A | openssl x509 -text | grep -i http
                  URI:[REDACTED-0x64208E9A-CRL]
                OCSP - URI:[REDACTED-0x64208E9A-OCSP]
                  CPS: [REDACTED-0x64208E9A-CPS]

$ gpgsm -a --export 0x2731A14E | openssl x509 -text | grep -i http
<NO MATCH>

$ gpgsm -a --export 0x0B9BC7C1 | openssl x509 -text | grep -i http
                OCSP - URI:[REDACTED-0x0B9BC7C1-OCSP]
                  CPS: [REDACTED-0x0B9BC7C1-CSP]
                    Explicit Text: [REDACTED-0x0B9BC7C1-ETXT]
                  URI:[REDACTED-0x0B9BC7C1-CRL]

$ dirmgr --verbose --fetch-crl [REDACTED-0x0B9BC7C1-CRL]
dirmngr[76084]: permanently loaded certificates: 253
dirmngr[76084]:     runtime cached certificates: 0
dirmngr[76084]:            trusted certificates: 253 (252,0,0,1)
dirmngr[76084]: update times of this CRL: this=20190226T000000
next=20190324T235959
dirmngr[76084]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[76084]: error checking validity of CRL issuer certificate: No value
dirmngr[76084]: crl_parse_insert failed: No value
dirmngr[76084]: processing CRL from '[REDACTED-0x0B9BC7C1-CRL]' failed: No value

$ dirmgr --verbose --fetch-crl [REDACTED-0x64208E9A-CRL]
dirmngr[75900]: permanently loaded certificates: 253
dirmngr[75900]:     runtime cached certificates: 0
dirmngr[75900]:            trusted certificates: 253 (252,0,0,1)
dirmngr[75900]: update times of this CRL: this=20190314T170848
next=20190317T170848
dirmngr[75900]: locating CRL issuer certificate by
authorityKeyIdentifier
dirmngr[75900]: Note: non-critical certificate policy not allowed
dirmngr[75900]: error checking validity of CRL issuer certificate: No
value
dirmngr[75900]: crl_parse_insert failed: No value
dirmngr[75900]: processing CRL from '[REDACTED-0x64208E9A-CRL]' failed: No value

$ gpgsm --verbose --with-validation --list-chain 0x64208E9A
[REDACTED]\AppData\Roaming\gnupg\pubring.kbx
---------------------------------------------------
           ID: 0x64208E9A
          S/N: [REDACTED]
       Issuer: [REDACTED]
      Subject: [REDACTED]
          aka: [REDACTED]
     validity: [REDACTED]
     key type: 2048 bit RSA
    key usage: digitalSignature keyEncipherment
ext key usage: emailProtection
     policies: 2.16.840.1.113733.1.7.23.2:N:
  fingerprint: [REDACTED]
  [Note: non-critical certificate policy not allowed]
  [checking the CRL failed: No value]
  [certificate is bad: No value]
Certified by
           ID: 0x2731A14E
          S/N: [REDACTED]
       Issuer: [REDACTED]
      Subject: [REDACTED]
     validity: [REDACTED]
     key type: 2048 bit RSA
    key usage: certSign crlSign
     policies: 2.16.840.1.113733.1.7.23.2:N:
 chain length: 0
  fingerprint: [REDACTED]
  [Note: non-critical certificate policy not allowed]
  [certificate is bad: No value]
Certified by
           ID: 0x0B9BC7C1
          S/N: [REDACTED]
       Issuer: [REDACTED]
      Subject: [REDACTED]
     validity: [REDACTED]
     key type: 2048 bit RSA
 chain length: none
  fingerprint: [REDACTED]
  [certificate is bad: No value]

$ echo hi | gpgsm --sign --armor --default-key 0x64208E9A \
> --disable-crl-checks --disable-policy-checks --verbose  \
> --audit-log alog.txt
gpgsm: certificate is good
gpgsm: validation model used: shell
gpgsm: error creating signature: No value <KSBA>

$ cat alog.txt
* Data signing succeeded:         No
*   Data available:         No
* Gpg-Agent usable:         Yes

On Thu, Mar 14, 2019 at 8:20 AM Werner Koch <wk at gnupg.org> wrote:
>
> On Wed, 13 Mar 2019 03:03, dkbryant at gmail.com said:
>
> > $ echo hi | gpgsm --sign --armor --default-key 0x64208E9A
> > --disable-crl-checks --disable-policy-checks
> > gpgsm: error creating signature: No value <KSBA>
>
> Please always add -v or --verbose to the invocation if you run into
> problems.  This gives more diagnostics.  For gpgsm I would also suggest
> to add
>
>   --audit-log alog.txt
>
> which prints some infos about the certificate etc. to the given file.
>
> Are you sure that the root certificate of your organization as been
> imported?  Use
>
>   gpgsm --list-chain 0x64208E9A
>
> to check this.  You can add --with-validation in which case gpgsm does
> all checks it would do before signing or encrypting.
>
> Note that ECC certificates are not yet supported.
>
>
> Shalom-Salam,
>
>    Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
> -----BEGIN PGP SIGNATURE-----
>
> iHUEARYIAB0WIQTX/8BjtAoilLlm20f/gK6dHew1jQUCXIpUagAKCRD/gK6dHew1
> jcfbAQDejK+gexZxO/4IZNBO7LvvUo5c1m7W89QHEubOCiK6pAD+O9gWjkejwM/r
> 3EkthGX3+yoet57UBe6BpCAOz0unWwc=
> =R8FP
> -----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list