[lug] gpg as personal certificate
Bear Giles
bgiles at coyotesong.com
Fri May 24 13:31:02 MDT 2002
> I'm looking for a way to use gpg (since it's free and portable) to make a
> personal certificate that I
> could import into a browser.
You can't get there from here. There's no direct mapping between
OpenPGP keys and the PKIX certificates.
If you're just playing around, you can create certs and private keys
with OpenSSL. You can generate self-signed certs, or set up your
own CA.
But there are a couple of complications.
1) You can import certs into browsers, but only for other people.
If you want to *sign* something with the browser I think most
of them want you to generate the private key with the browser.
That's a <KEYGEN> tag in Netscape/Mozilla, and a bit of .com .crap
with Microsoft.
Or they might have finally gotten a clue and allow you to import
private keys like every other application does. I do know that
exporting private keys remains problematic - MSIE asks you to
verify that you really want to do it something like _17_ times.
2) > My intent is to be able to sign digital forms.
That depends entirely on whether the other site will recognize
your cert. If you have control of the application (e.g.,
you're using this to manage an internal process) you can make
sure that your own CA's root cert is in the root CA database.
But if it's a third party who doesn't know you from jack they
*should* refuse to accept your cert.
> Hmm, now that I think about it, maybe I should use keytool from the java
> jdk. I already use that to make web certs, and maybe personal certs are
> more like web certs than gpg signing is.
Web certs should have the server's FQDN in the "common name" field,
while personal certs should have your name. And the 'usage' flags
should also be different, although that's something that a lot of
people don't bother with anyway. But the structure of the certs is
identical.
--
Bear Giles
bgiles at coyotesong.com
303 449 7499
More information about the LUG
mailing list