Creating a new X.509 certificate from your PGP key pair

This page complements http://wiki.cacert.org/ConvertingCertificateToPgp by describing the other way round.

The following tools are needed: GnuPG, openpgp2ssh from the monkeysphere project and openssl.

/!\ The steps described were performed on a virtual machine running Ubuntu.


  1. You already created a PGP key pair of RSA keys. Its secret key looks like this

    sec   2048R/059B4809 2011-10-29 [valid to: 2013-12-31]

    The PGP key ID is $KEYID (in this example 059B4809).


  1. openpgp2ssh works only if the secret key is not password-protected. So it might be necessary to remove the protection. The corresponding gpg command is:

    gpg --edit-key $KEYID .

    Then use the the passwd sub-command to remove the password.


  1. Now it's time to export the PGP key and hand it over to openpgp2ssh:

    gpg --export-secret-key $KEYID | openpgp2ssh $KEYID > id_rsa

    id_rsa's content should look like:

    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEA0s2wNIWuUzuBYU9U0cK/mGa4LMtsWTEZEFTQhHj2eg4ZHmdt[...]
    -----END RSA PRIVATE KEY-----


  1. Next a Certificate Signing Request (CSR) can be generated:

    openssl req -new -key id_rsa -out id_rsa.csr

    id_rsa.csr's content should look like:

    -----BEGIN CERTIFICATE REQUEST-----
    MIIC9jCCAd4CAQAwgZkxCzAJBgNVBAYTAkRFMRMwEQYDVQQIEwpTb21lLVN0YXRl[...]
    -----END CERTIFICATE REQUEST-----


  1. Now you have a CSR. Login to the CAcert webpage -> "Client Certificates" -> "New" -> Choose the registered email address, mark "Show advanced options", copy the content from id_rsa.csr to the input field headed "Optional Client CSR, no information on the certificate will be used", push "Next".


  1. CAcert should notify you that the certificate can be retrieved.


  1. Copy the content from the certificate and from the file id_rsa into one file email@address.pem. Its content should look like:

    -----BEGIN CERTIFICATE-----
    MIIFRjCCAy6gAwIBAgIDCuP8MA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv[...]
    -----END CERTIFICATE-----
    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEA0s2wNIWuUzuBYU9U0cK/mGa4LMtsWTEZEFTQhHj2eg4ZHmdt[...]
    -----END RSA PRIVATE KEY-----


  1. Finally create a PKCS#12 container:

    openssl pkcs12 -export -in email@address.pem -out email@address.pem.p12


You may now import your key pair to your email client.


ConvertingPgpKeyToCertificate (last edited 2016-05-05 14:49:02 by AlesKastner)