Next: Signing the CSR, Up: Certificate Preparation
Before you start, make sure that the GPG Agent is running, see Prerequisites and that your card is in the reader. There is no need to configure GPGSM, so you can create a CSR with the command:
$ gpgsm --gen-key > floppy-head.csr Please select what kind of key you want: (1) RSA (2) Existing key (3) Existing key from card Your selection? 3
As we create a certificate for the OpenPGP Card, the option “[3]
Direct from card” should be selected.
Serial number of the card: 355F9746499F0D4B4ECEE4928B007D16 Available keys: (1) D53137B94C38D9BF6A199706EA6D5253 OPENPGP.1 (2) B0CD1A9DFC3539A1D6A8B851A11C8665 OPENPGP.2 (3) 53DB41052CC590A40B403F3E6350E5DC OPENPGP.3 Your selection? 3 Possible actions for a RSA key: (1) sign, encrypt (2) sign (3) encrypt Your selection? 2
The only operation currently supported is client authentication. For
this, the authentication key has to be selected. This is the third key
on the card, so the options “[3] OPENPGP.3” and “[2]
sign” should be chosen. Note that the key usage is only advisory, and
the CA may assign different capabilities.
Enter the X.509 subject name: CN=Floppy Head,OU="Webserver Team",O="Snake Oil, Ltd",L="Snake Town",ST="Snake Desert",C=XY Enter email addresses (end with an empty line): > floppy.head@example.org > Enter DNS names (optional; end with an empty line): > Enter URIs (optional; end with an empty line): > Create self-signed certificate? (y/N) n
As a last step, the common name and e-mail address of the key owner need to be specified by you. The above are only an example for a fictious person working at a fictious company. DNS names are only meaningful for server certificates and thus should be left empty.
We have now entered all required information and gpgsm will display what it has gathered and ask whether to create the certificate request:
These parameters are used:
Key-Type: card:OPENPGP.3
Key-Length: 1024
Key-Usage: sign
Name-DN: CN=Floppy Head,OU="Webserver Team",O="Snake Oil, Ltd",L="Snake Town",ST="Snake Desert",C=XY
Name-Email: floppy.head@example.org
Proceed with creation? (y/N) y
Now creating certificate request. This may take a while ...
gpgsm: about to sign the CSR for key: &53DB41052CC590A40B403F3E6350E5DC
GPGSM will now start working on creating the request. During this time you will be asked once for a passphrase to unprotect the authentication key on the card. A pop up window will appear to ask for it.
When it is ready, you should see the final notice:
gpgsm: certificate request created Ready. You should now send this request to your CA.
Now, you may look at the created request:
$ cat floppy-head.csr -----BEGIN CERTIFICATE REQUEST----- MIICCDCCAXECAQAwgYExCzAJBgNVBAYTAlhZMRUwEwYDVQQIEwxTbmFrZSBEZXNl cnQxEzARBgNVBAcTClNuYWtlIFRvd24xFzAVBgNVBAoTDlNuYWtlIE9pbCwgTHRk MRcwFQYDVQQLEw5XZWJzZXJ2ZXIgVGVhbTEUMBIGA1UEAxMLRmxvcHB5IEhlYWQw gaAwDQYJKoZIhvcNAQEBBQADgY4AMIGKAoGBANWaM9YS89AOx3GX1Rua+4DUHwbL wt0rBYdBddlabMMteVjUcOOhbFMirLpLAi1S8fUXNiy84ysOmFStmvSIXDsAgXq5 1ESOU4SNg2zEkPDF1WYJ5BFIXdYq9i2k5W7+ctV8PkKv3e5IeYXTa5qppIPD31de gM8Qj7tK0hL/eNCfAgQAAQABoEUwQwYJKoZIhvcNAQkOMTYwNDAiBgNVHREEGzAZ gRdmbG9wcHkuaGVhZEBleGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCBsAwDQYJKoZI hvcNAQEFBQADgYEAFC9q6+ib9YGCLB/2AlZR+/dvb+pEeXR1EbpV/dw/gjP1yPY6 29n8ZIDLUvQvNCtfCcXFxFimVSSB/KmFXXsJbM+NXQyT6Ocn34iHmkf9IVRMWQWg ZBYfQVeXAd7XlxI6d1wXDLwD/26lTU/rH2JU6H1+zSfZxqwVC4Iu+kiN4Y8= -----END CERTIFICATE REQUEST----- $
Next: Signing the CSR, Up: Certificate Preparation