Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Export public key with certificate

Created: 28 Jan 2014 • Updated: 03 Feb 2014 | 13 comments
Alex_CST's picture
This issue has been solved. See solution.

Hi,

I need to find the right command string to export a public key along with the x509 certificate. (that will give me a .crt file extension)  I actually need it in .CER format but I don't believe pgp commandline can do that (i'll have to convert it using other means)

Looking at the manual the --export command along with --export-format looks like whta I need to do, but doesnt really give me any syntax guidance:

Export Format

PGP Command Line supports multiple export formats:

  • Complete (default): Only ASCII-armored files are output; the default file extension is .asc. Use Complete to export keys in a newer format that supports all PGP features.
  • Compatible: Only ASCII-armored files are output; the default file extension is .asc. Use Compatible to export keys in a format compatible with older versions of PGP software; that is, PGP software versions 7.0 and prior. Some newer PGP features are not supported when using Compatible.
  • X.509-cert: Only ASCII-armored files are output; the default file extension is .crt. The <input> must match exactly one key, and --cert is required.
  • PKCS8: This format can produce unencrypted and encrypted PKCS8. Only ASCII armored files are output; the default file extension is .p8. A signed key must be paired. The <input> must match exactly one key.

 

It doesn't tell me what syntax I need to use to get it out in X.509 format.  There is a command example: 

Export the private key associated with the top X.509 certificate
pgp --export "Bob Smith" --export-format pkcs12 --passphrase "B0bsm1t4" --cert 0x6245273E
0x6245273E:export key (0:key exported to Bob Smith.p12)
 
Bob's key pair is exported to a file "Bob Smith.p12".
 
But this doesn't give me what I want.
 
Long story short what I am after is:
 
  1. Command to export X509 certificate with public key into DER .crt format or PKCS#7 DER .p7c format 

 

Thanks!

 

 
Operating Systems:

Comments 13 CommentsJump to latest comment

dcats's picture

Hi Alex,

I haven't tested this, but the output of "pgp --help" includes:

--export-format        compatible | complete | x509-cert | pkcs8 | pkcs12 | csr

Have you tried with the switch x509-cert instead of pkcs12?

Rgs,
dcats

Alex_CST's picture

Hi dcats,

Command I am currently trying to use is this:

C:\Windows\system32>pgp --export "Test User" --export-format x509-cert --cert 0x2314D6F2
0x2314D6F2:export key (3058:subkey not found)
 
I got the KeyID from importing the pkr of Test User into pgp desktop.  Is there an easier way I can determine the keyID from within cmdline?
 
According to PGP Desktop there is a subkey within that PKR also, So I am confused!
Please mark posts as solutions if they solve your problem!

http://www.cstl.com

dcats's picture

Hi Alex,

Please try with this syntax and let me know if it works:
pgp --export "Test User" --export-format x509-cert -o "my_0x2314D6F2_cert.crt"
or
pgp --export 0x2314D6F2 --export-format x509-cert -o "my_0x2314D6F2_cert.crt"

For checking the key details you can attempt:
pgp "Test User" --list-key-details
or
pgp 0x2314D6F2 --list-key-details

Rgs,
dcats

Alex_CST's picture
 
C:\Windows\system32>pgp --export "Test User" --export-format x509-cert -o "certnew.crt"
pgp:export key (3090:operation failed, item not found)
 
C:\Windows\system32>pgp "Test User" --list-key-details
pgp:list key details (2710:days left in current license, 27)
Key Details: Test User <test.user@******.com>
     Key ID: 0x2314D6F2 (0x06FE15592314D6F2)
       Type: RSA (v4) key pair
       Size: 2048
   Validity: Complete
      Trust: Implicit (Axiomatic)
    Created: 2014-01-28
    Expires: Never
     Status: Active
     Cipher: AES-128
     Cipher: AES-192
     Cipher: AES-256
     Cipher: TripleDES
       Hash: SHA-256
       Hash: SHA-512
   Compress: ZLIB
      Photo: No
  Revocable: Yes
      Token: No
  Keyserver: Absent
    Default: Yes
    Wrapper: No
 Prop Flags: Sign user IDs
 Prop Flags: Sign messages
 Prop Flags: PGP NetShare
 Prop Flags: PGP WDE
 Prop Flags: PGP ZIP
 Prop Flags: PGP Messaging
 Ksrv Flags: Absent
 Feat Flags: Modification detection
  Notations: 01 0x80000000 preferred-email-encoding@pgp.com=pgpmime
      Usage: Sign user IDs
      Usage: Sign messages
 
  Subkey ID: 0xE463BC8A (0x2935C8A1E463BC8A)
       Type: RSA (v4) subkey pair
       Size: 2048
    Created: 2014-01-28
    Expires: Never
     Status: Active
  Revocable: Yes
      Token: No
      X.509: No
 Prop Flags: Encrypt communications
 Prop Flags: Encrypt storage
 Prop Flags: PGP NetShare
 Prop Flags: PGP WDE
 Prop Flags: PGP ZIP
 Prop Flags: PGP Messaging
  Notations: None
      Usage: Encrypt communications
      Usage: Encrypt storage
      Usage: PGP NetShare
      Usage: PGP WDE
      Usage: PGP ZIP
      Usage: PGP Messaging
 
        ADK: None
 
    Revoker: None
 
1 key found

 

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

dcats's picture

Hi Alex,

Please try it like this:
pgp --export "Test User" --export-format x509-cert --passphrase "passphrase" -o "certnew.crt"

Rgs,
dcats

Alex_CST's picture

Hi dcats,

 

I get the same error: 3090: operation failed, item not found.

 

I am running in an admin cmd window btw.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

dcats's picture

Hi Alex,

In PGP Desktop, if you expand all user IDs within that key, do you have one with a certificate sign (showing CN=domain.tld)?

Rgs,
dcats

Alex_CST's picture

This is what I have when I imported that key into my local PGP Desktop installation:

 

pgpissue.png

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

dcats's picture

Hi Alex,

That key does not contain a certificate. You only have the keypair of the PGP key.
It should be like this one below.

key_with_cert.png

Rgs,
dcats

Alex_CST's picture

Ah - that could be why!  Can I generate one in cmdline?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

dcats's picture

Hi Alex,

I would need to double check. I believe you can create the key material with PGP Command Line but then you need to generate the Certificate Signing Request (CSR) and have a CA signing the key. I think you cannot self-sign it with PGP Command Line.

However, you can have users with certificates generated by a SEMS with an Organization Certificate. Or use OpenSSL to generate and sign certificates. If they need to be trusted by an external CA that's another story.

I'm not sure if useful or not, but you can check this great tutorial made by Andreas Zengel, here is the link: https://www-secure.symantec.com/connect/forums/ste...

Rgs,
dcats

dcats's picture

Hi Alex,

It will not be possible to generate a self-signed certificate with PGP Command Line.
The product was conceived to work with OpenPGP. It allows x.509 usage as an "extended feature".

Rgs,
dcats

SOLUTION
Alex_CST's picture

Hi dcats,

I'll generate a self-signed via openSSL and then see what I can do.  That article done by Andreas is very handy - people should definately check that out.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com