Endpoint Encryption

Hi,

I need to find the right command string to export a public key along with the x509 certificate. (that will give me a .crt file extension)  I actually need it in .CER format but I don't believe pgp commandline can do that (i'll have to convert it using other means)

Looking at the manual the --export command along with --export-format looks like whta I need to do, but doesnt really give me any syntax guidance:

Export Format

PGP Command Line supports multiple export formats:

• Complete (default): Only ASCII-armored files are output; the default file extension is .asc. Use Complete to export keys in a newer format that supports all PGP features.
• Compatible: Only ASCII-armored files are output; the default file extension is .asc. Use Compatible to export keys in a format compatible with older versions of PGP software; that is, PGP software versions 7.0 and prior. Some newer PGP features are not supported when using Compatible.
• X.509-cert: Only ASCII-armored files are output; the default file extension is .crt. The <input> must match exactly one key, and --cert is required.
• PKCS8: This format can produce unencrypted and encrypted PKCS8. Only ASCII armored files are output; the default file extension is .p8. A signed key must be paired. The <input> must match exactly one key.

 

It doesn't tell me what syntax I need to use to get it out in X.509 format.  There is a command example: 

1. Command to export X509 certificate with public key into DER .crt format or PKCS#7 DER .p7c format 

 

Thanks!

 

Hi Alex,

I haven't tested this, but the output of "pgp --help" includes:

--export-format        compatible | complete | x509-cert | pkcs8 | pkcs12 | csr

Have you tried with the switch x509-cert instead of pkcs12?

Rgs,
dcats

Hi dcats,

Command I am currently trying to use is this:

Hi Alex,

Please try with this syntax and let me know if it works:
pgp --export "Test User" --export-format x509-cert -o "my_0x2314D6F2_cert.crt"
or
pgp --export 0x2314D6F2 --export-format x509-cert -o "my_0x2314D6F2_cert.crt"

For checking the key details you can attempt:
pgp "Test User" --list-key-details
or
pgp 0x2314D6F2 --list-key-details


Rgs,
dcats

 

Hi Alex,

Please try it like this:
pgp --export "Test User" --export-format x509-cert --passphrase "passphrase" -o "certnew.crt"

Rgs,
dcats

Hi dcats,

 

I get the same error: 3090: operation failed, item not found.

 

I am running in an admin cmd window btw.

Hi Alex,

In PGP Desktop, if you expand all user IDs within that key, do you have one with a certificate sign (showing CN=domain.tld)?

Rgs,
dcats

This is what I have when I imported that key into my local PGP Desktop installation:

 

Hi Alex,

That key does not contain a certificate. You only have the keypair of the PGP key.
It should be like this one below.

Rgs,
dcats

Ah - that could be why!  Can I generate one in cmdline?

Hi Alex, I would need to double check. I believe you can create the key material with PGP Command Line but then you need to generate the Certificate Signing Request (CSR) and have a CA signing the key. I think you cannot self-sign it with PGP Command Line. However, you can have users with certificates generated by a SEMS with an Organization Certificate. Or use OpenSSL to generate and sign certificates. If they need to be trusted by an external CA that's another story. I'm not sure if useful or not, but you can check this great tutorial made by Andreas Zengel, here is the link: https://www-secure.symantec.com/connect/forums/step-step-guide-create-x509-certificate-extended-properties-using-kms Rgs, dcats

Hi Alex,

It will not be possible to generate a self-signed certificate with PGP Command Line.
The product was conceived to work with OpenPGP. It allows x.509 usage as an "extended feature".


Rgs,
dcats

Hi dcats,

I'll generate a self-signed via openSSL and then see what I can do.  That article done by Andreas is very handy - people should definately check that out.