[SOLVED] Kmail and s/mime - help with cert import

mcloaked · 2013-10-17 19:15:55

I have been trying to import my startssl cert into Kmail version kdepim-kmail 4.11.2-1 (kde kdepim) in order to do s/mime signing and encryption, without success. I have googled extensively without success. Does anyone know how to do it or can point me to some guidance that works with the current up to date kmail? I have no problem working with my s/mime cert in Thunderbird but Kmail has completely defeated me! I have tried the usual routes to security/encryption settings within kmail and I can see my cert listed in Kleopatra but it won't import. I have tried the advice in the link at https://bugs.launchpad.net/ubuntu/+sour … bug/584027 but the method does not work for me.

Thanks for any input on this.

Last edited by mcloaked (2013-10-19 09:58:46)

mcloaked · 2013-10-18 19:36:41

After a great deal of searching I finally found the recipe for getting this to work. For anyone else interested the steps needed are as follows:

The startcom ssl certificate file is not properly recognised for import into gpgsm, which is the certificate backend handler in Kmail. So first extract the keys and output to a .pem file

openssl pkcs12 -in startcom-private-2013 -out startcom-private-2013.pem -nodes

where the certificate names need to be changed to match your own filenames.

Now export the private key to a new .p12 cert file

openssl pkcs12 -in startcom-private-2013.pem -export -out startcom-private-2013.p12 -nocerts -nodes

Import the key into gpgsm

gpgsm --import startcom-private-2013.p12

During the above you need the passphrase to open the certificate file, and also to create the new one during export.

Now one has to add the issuer certificates (CA + intermediate CA) into gpgsm if they are not already there. In a default arch system these will not be present so this step is essential.
The following command will add about 100 CA certificates or more from the ca-certificates package,
but you could also only add the specific CA's for your certificate if you want.

$ gpgsm --import /usr/share/ca-certificates/mozilla/*

You will need to set the trust level and confirm key fingerprints for each one!

Now check if your own key has been added:

$ gpgsm --list-secret-keys

Make sure that .gnupg/gpgsm.conf has the correct content:

$ cat .gnupg/gpgsm.conf

###+++--- GPGConf ---+++###
debug-level basic
log-file socket:///home/mike/.gnupg/log-socket
###+++--- GPGConf ---+++### Fri 18 Oct 2013 17:43:12 BST
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.
include-certs -1  # this will include all certificates in the chain up to the root
default-key xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
# my private key is default

Add default key to the file as above using the fingerprint from the previous list.

Now add the fingerprints to the trust file:

Make sure that option "allow-mark-trusted" is in gpg-agent.conf

$ cat .gnupg/gpg-agent.conf
#
# gpg agent 
#
pinentry-program /usr/bin/pinentry-gtk
no-grab
# GPGConf disabled this option here at Wed 10 Aug 2005 11:17:28 AM EDT
# default-cache-ttl 1800


###+++--- GPGConf ---+++###
default-cache-ttl 14400
debug-level basic
log-file socket:///home/mike/.gnupg/log-socket
###+++--- GPGConf ---+++### Thu 17 Oct 2013 19:40:20 BST
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.
#use-agent
#log-file /home/mike/Documents/gpg_stuff/new/gpg.log
allow-mark-trusted

Now execute the following to add the list of keys to the trust file:

gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' >> ~/.gnupg/trustlist.txt

(the command will append, not overwrite, the old file)

Only once all of the above has been done will kmail then will allow the private ssl certificate to be selected to be used for s/mime in the
cryptography section of the identity data once "modify" is selected.

If using a self signed ssl certificate some steps from the above may need to be different.

Now signing and encryption is possible in kmail.

Thaodan · 2013-10-18 20:03:14

does pinentry-qt4 doesn't work?

mcloaked · 2013-10-19 08:20:13

I haven't tried pinentry-qt4 but I guess everyone has a choice of the available options they like - and I have used the pinentry-gtk option for a long time and it works fine for me. However the choice of which pinentry option was not an issue in the original problem.

mcloaked · 2013-10-19 09:58:25

If any KDE users find that my "recipe" helps, and find that additional steps are necessary to process either self-signed certificates or those from other signing authorities, then it would also be valuable to add information to the KDDE userbase wiki page that I have written at http://userbase.kde.org/KMail/S_MIME

I will mark this thread as solved now.

Arch Linux

#1 2013-10-17 19:15:55

[SOLVED] Kmail and s/mime - help with cert import

#2 2013-10-18 19:36:41

Re: [SOLVED] Kmail and s/mime - help with cert import

#3 2013-10-18 20:03:14

Re: [SOLVED] Kmail and s/mime - help with cert import

#4 2013-10-19 08:20:13

Re: [SOLVED] Kmail and s/mime - help with cert import

#5 2013-10-19 09:58:25

Re: [SOLVED] Kmail and s/mime - help with cert import

Board footer