Convert a X.509 (PKI) certificate to GPG

I see this question a lot all over the web, and it results in a lot of people saying it can’t be done.  However, this wasn’t the case back when PGP was owned by McAfee and had an official windows client.  Back then it was simply right click on the file and import it.

Heck, you could even create a CSR for your PGP key and have a CA create a signature for it, but only 2 CAs would do it, Thawte (before they were bought out by Verisign) and CAcert.  As far as I know they have both removed this functionality.

PGP.com has gone by the wayside, and many CAs no longer even offer s/mime email certs, which is a shame.  However, as this post will show, PKI and GPG suffer from major usability issues. In fact, the only successful public-key cryptography is https, and that is too hard for most admins to do well. U2F seems to be doing well, but I have GRAVE concerns about its long term security, but I have a bunch of specs to pour over before I make my concerns public.

Earlier this week, I used 2 different providers to get email certificates. One generated a private key for me, and sent it to me via email, along with an email of the password.  As Ben Franklin said “three can keep a secret, if two of them are dead”, because a shared secret really isn’t a secret.  Email isn’t secure, it really never has been, so sending me secrets unencrypted is not really useful.

I need to generate my own secret, and ask for a signature, this is the whole point of a CSR.  In the old days you could tell your browser to generate a certificate using a JavaScript API, apparently that has now been deprecated and only works in Internet Explorer.  Even though this makes sense, because getting true random numbers is hard, it makes for the first pain point in using public-key cryptography.

I finally found a company that would issue me my email certificate using the Sectigo CA, and they “validated my identity” … NOT.  They validated my email, took a copy my drivers license, over unencrypted email. Then never once talked to me in person, never validated that the person who sent the email matched the email etc.  This is to be expected, I guess,  I have mentioned that online identity validation really isn’t, in my previous article.   To generate my own certificate, and have the sign it, I had to use IE, on Windows,  yuck.  Even Microsoft doesn’t want you using IE anymore.

Now I have a certificate, and I wanted to show this import to PGP, so let’s get started.  Gnu Privacy Guard (GPG), is the Linux default for working with PGP. For the purpose of this discussion, GPG, PGP, and OpenPGP are synonymous terms, though PGP was a commercial product, GPG was the Linux product, and OpenPGP is the standard and not really a product at all.

I am using Ubuntu 20.04 (focal). I downloaded kleopatra because it is a nice cross platform GUI for GnuPG, I am only using command line utilities, for the work and using kleopatra to view the results. The pem2openpgp tool is included in monkeysphere.

sudo apt install kleopatra monkeysphere -y

Steps

  • Break the pfx (p12) into pem files that can be used.  For some reason, GPG cant handle standard encoding.

    openssl pkcs12 -in sectigo.pfx -nokeys -out gpg-certs.pem
    openssl pkcs12 -in sectigo.pfx -nocerts -out gpg-key.pem
  •  Combine the keys into something GPG recognizes
    openssl pkcs12 -export -in gpg-certs.pem -inkey gpg-key.pem -out gpg-key.p12
  • Import into GPG
    gpgsm --import gpg-key.p12
  • At this point we have the p12 imported, and we can see it in Kleopatra, but we can’t use it for PGP operations.
    cat gpg-key.pem | PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "Your Name <your@email.address>" > key.pgp
  • Now!!!! we have a pgp key and you import key.pgp into gpg and it will absolutely have the same key ask your certificate.
    gpg --import key.pgp

Now, if pull up kleopatra, you can see that you have a certificate AND a PGP key, if you delete EITHER of them and you delete the private key, you will see that BOTH private keys are removed, because it isn’t 2, but rather a single private key.

Remember to delete all these files, and to use strong passwords.  Ideally you would store these keys on a FIPS compliant smartcard that uses 2 factor authentication.

Leave a Reply