See EmailCertificates

Encryption in KDE - Installing and Using Certificates

The use of certificates has been problematic in almost all major Linux distros, for a while because helper apps like Aegypten and Kleopatra were in heavy development, and then because one vital app was simply not run in any distro. (gpg-agent) This missing jellybean is the reason certificates could not be imported into Kleopatra, and thus used in KMail.

Here we will show you how to get X.509 certificates working in KMail and other Linux apps.

To start, you must make cert requests on an authenticator service like CACert using Mozilla or Firefox. This is to use Mozilla's importing mechanism, which doesn't exist in Konqueror AFAIK. The first cert you need is CACert's Class 1 Root Certificate, which can be accessed from their home page. Import this into Firefox, and then in Edit|Preferences|Advanced|Encryption|ViewCertificates|Authorities|RootCA you will find CACert's Root Certificate. Export this to a Security directory in your home as a .pem file.

Now Join CACert and request your own cert for each email account you will want to sign or encrypt. Each of these will be imported into Firefox, and you will then find them in Edit|Preferences|Advanced|Encryption|ViewCertificates|YourCertificates. View each one's Details|Extensions|CertSubjectAltName to see which email address it is for, then Export it to a .p12 file in your Security directory with that email adddress in the name.

The next step is to enable the magic jellybean. gpg-agent must be run as your user, and it is important that you only run it once. For this reason I recommend against doing this in your ~/.bashrc file, since you may be opening multiple terminals. I load gpg-agent in ~/.kde/Autostart, just using an executable script:


# Use kwatchgnupg to troubleshoot

if test -f $HOME/.gpg-agent-info && kill -0 ‘cut -d: -f 2 $HOME/.gpg-agent-info‘ 2>/dev/null; then



export GPG_TTY=‘tty‘

Be sure to set ownership, and chmod to 770, as with your whole Security directory. At this point I'd reboot and log in, to check this real-world. ps aux |grep gpg-agent and make sure you see gpg-agent --daemon --use-standard-socket as a daemon.

Now; the normal recommendation is to import your certs into Konqueror, which will in turn feed them to Kleopatra and thence KMail. But personally, I don't see any point in identifying myself to every website I visit, so after the web browser export I delete my personal certs from Firefox YourCertificates, and I don't import them into Konq.

It's a good idea to monitor the next steps and all encryption activity with kwatchgnupg, until you've proven it works. Now run kleopatra as your user and import the certs there, starting with CACert's Root Cert. Follow the prompts, and you should see each cert in turn on kleo's list.

At this point you will see them also in KMail, but you're not quite there yet. Create a text file in ~/.gnupg called trustlist.txt . chown and chmod to 660, and open it for editing. In kleopatra, double-click CACert's root cert, click on Fingerprint, and in the white-window copy the fingerprint to the clipboard. Paste that into trustlist.txt and follow the fingerprint with <space>S. (space, capital S) This tells gpg-agent that that cert is ultimately trusted. Repeat this procedure with all your personal certs as well. Save and close trustlist.txt .

I would reboot one more time, just to be sure. Then in KMail|Settings|Security|Reading check Automatically Import, in Composing check Automatically Sign and Encrypt and uncheck Always Show, and in CryptoBackends make sure that OpenPGP and S/MIME are there, and checked. If not, use Adept to install kleopatra, openssl, and openpgp. In KMail|Identities double-click each email address that you got a cert for, Cryptography|S/MIMESigning,Encryption|Change and assign the cert for that address. OK to save.

Now compose a message and make sure it is Options|Signed, and send it to a freemail account. Examining it there you will find an attachment with crypto signature showing that you wrote that message, and that it has not been changed at all enroute. This also contains your Public Cert so that your recipient can import into their email client and send you encrypted messages. They have the Public Cert, and you have the Private one.

Now, to get much more customized certs, join the CACert Web of Trust.

-- Quantum