Using PKI X.509 certificates in GnuPG

January 10th, 2009

Many company IT Security policies insist that workers use only encryptions keys that are generated by the company PKI. That allows the company to recover the encryption keys if they are lost or if the employee leaves the company. PKI issued certificates (which contain the keys) are usualy used with S/MIME in programs like Outlook or Thunderbird.

However, some people wish to use the PGP encryption standard, often because it is required by a customer or other correspondent. This post explains how to export a certificate issued by an enterprise PKI for use in the popular open source encryption program GnuPG. GnuPG follows the PGP standard and can be used to exchange encrypted e-mail with users of the commercial PGP.

 In this example the certificate is available in the Firexox certificate store. Click to enlarge the image.


This certificate is for John at


Next backup the certificate onto disk. Firefox uses the extension “.p12” for a certificate that includes the private key.


GnuPG cannot import an X.509 certificate. First we have to import the certificate using PGP which can convert it into a PGP type of key.


In PGPkeys use the “import” function on the “keys” menu.


After importing the key, click on it and select “add” and then “name”. Add a user ID to the key. This is required for GnuPG to recognise the user ID and in this case is useful to identify the key.


PGP protects the key using the IDEA algorithm which is not available by default in GnuPG because it is pattented. To get around this you must remove the key protection by changing the passphrase to an empty one. Be careful to delete the key from PGP afterwards or else change back to a non-empty passphrase.


Now export the key. PGP will write the exported key in standard PGP form which can easily be imported into GnuPG.


Select “Include Private Key”


Import the key into the GnuPG key ring


It is very important that you right away edit the key to protect it by adding a passphrase. You can also edit the trust level of the key at this time.


Now test the key by encrypting and then decrypting a message.


You now have a key in your GnuPG key ring that complies to your company IT Security policy. It came from the company PKI and is therefore archived and recoverable according to the policy.

Dawn breakfast at Inishbofin

August 27th, 2008

Inishbofin ancorage

Annuit Coeptis

January 30th, 2008

Did the “All Seeing Eye” of Ra come to the New World via Carthage?

What of Rome?

St. Augustin

January 30th, 2008

Paris landmarks by night

December 6th, 2007

Click on the photos to see a larger version

1999 Solar Eclipse

December 2nd, 2007

I took this photo of the August 1999 Solar Eclipse with a Cannon AE-1 and 300mm Cannon lens near Neufchatel-en-bray

Solar Eclipse

Books that changed my World

December 1st, 2007

Zen and the Art of Motorcycle Maintenance by Robert M. Pirsig

Round the Bend by Nevil Shute

Music of the Spheres by Guy Murchie

Guide to Science by Isaac Azimov

The Art of Computer Programming by Donald E. Knuth

Where to get a free S/MIME certificate

November 30th, 2007

The two sites that I would recommend for getting free certs are Thawte and Comodo

CAcert is another site worth recommendation but their certs are not recognized by common mail clients; they work just fine but you have to understand how to import the CA root certificates. You can, of course, roll your own using OpenSSL or Mozilla NSS but that is a topic for another day.

Mozillazine have a good page on free certs.

[edit: Thawte service discontinued as of 16-Nov-2009]

How to read an “smime.p7m”

November 29th, 2007

If you read your e-mail with a client that does not understand S/MIME encryption and someone has sent you an S/MIME encrypted message then you will see an attachment named “smime.p7m” like this one.

With Gmail you could use the “Show original” option to view the full S/MIME encoded e-mail message, cut+paste it to a text editor, save as “something.eml” and open that with Outlook Express, or similar, which understands S/MIME. Of course, you do have to have the matching private key to decrypt the message!

With other e-mail clients that do not present the option to view the unaltered e-mail, or when the “smime.p7m” attachment has been forwarded, you need a way to re-format it back into a valid S/MIME message. To do that I wrote this small program. Save the attachment to disk and feed it to “p7mfile.exe” which will format it and pass it on to Outlook Express.

EFS is almost useful

November 28th, 2007

If a student had turned in the EFS design as a project I may have given them a C+ or B-. It has all the hallmarks of good encryption design that was then taken by a committee and developed into a product. I wrote this little program to solve the problem of how to copy EFS encrypted files to a USB key drive. If you just drag the files to the USB drive then Windows ‘helpfully’ decrypts them for you without asking. In any serious encryption system the default should be to *not* decrypt data without explicit permission, sigh!

Copy “sendtoEFS.exe” into the “sendto” folder in your Windows profile so that it can be used from the Explorer menu. It uses the Windows API call “OpenEncryptedFileRaw” to access the raw encrypted data and not transparently decrypt it; the PDF file explains.