4

I need to send a private key file to someone (a trusted sysadmin) securely. I suggested a couple options, but he replied as follows:

Hi, I don't have neither LastPass nor GnuPGP but I'm using ssl certificates - this message is signed with such so you will be able to send a message to me and encrypt it with my public key.

I used openssl to obtain his certificate:

openssl pkcs7 -in smime.p7s -inform DER -print_certs

The certificate is issued by:

issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected]

(Firefox doesn't have a root certificate from cacert.org.)

Now, how do I encrypt the key file I wish to send to him? I prefer to use a command line tool available in Ubuntu.

@lgeorget:

$ openssl pkcs7 -inform DER -outform PEM -in smime.p7s -out smime.pem $ openssl smime -encrypt -text -in /home/myuser/.ssh/mykeyfile smime.pem unable to load certificate 139709295335072:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE

and 

$ openssl pkcs7 -in smime.p7s -inform DER -print_certs subject=/CN=Wojciech Kapcia/[email protected]/[email protected] issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected] -----BEGIN CERTIFICATE----- MIIFzjCCA7agAwIBAgIDDR9oMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ dEBjYWNlcnQub3JnMB4XDTEzMDQxODA3NDEzNFoXDTE1MDQxODA3NDEzNFowcDEY MBYGA1UEAxMPV29qY2llY2ggS2FwY2lhMSkwJwYJKoZIhvcNAQkBFhp3b2pjaWVj [snip] N1lNLq5jrGhqMzA2ge57cW2eDgCL941kMmIPDUyx+pKAYj1I7IibN3wcP1orOys3 amWMrFRa30LBu6jPYy2TeeoQetKnabefMNE3Jv81gn41mPOs3ToPXEUmYU18VZ75 Efd/qu4SV/3SMdySSNmPAVQdXYAxBEXoN5b5FpUW7KeZnjoX4fkEUPeBnNwcptTC d1w= -----END CERTIFICATE-----
Improve this question
2
  • Could you give the output of openssl pkcs7 -in smime.p7s -inform DER -print_certs ? Commented Mar 5, 2014 at 16:12
  • Okay so the problem is just the format. You should cut the first two lines and put the rest in a file called cert.pem or something like that. (It has already been converted to PEM when you did print_certs because DER is a binary unprintable format). The problem with OpenSSL is that it expects that the file begins with ----BEGIN CERTIFICATE----. Commented Mar 5, 2014 at 18:20

2 Answers 2

Reset to default
6

You can do

openssl smime -encrypt -text -in <file> smime.p7s

where <file> is the file you want to encrypt. If the file smime.p7s is in DER format instead of PEM, you will have to convert it with :

openssl pkcs7 -inform DER -outform PEM -in smime.p7s -out smime.pem

You obtain a file you can send to your sysadmin. If you are brave enough you can remove -text and play with the option -to, -subject, etc. to get a valid email file you can directly send to a SMTP server.

If the root certificate of the certificate you use to encrypt is not recognized by your operating system but YOU trust it, you can add it to the certificate base. 

cp smime.pem /usr/local/share/ca-certificates/certificate.crt sudo update-ca-certificates

The certificate must have the .crt extension. Details here.

Improve this answer
6
  • I'm getting an error: Expecting: TRUSTED CERTIFICATE. See update in my question for more details. Thanks Commented Mar 5, 2014 at 15:55
  • If you trust the certificate that signs this certificate, then you can import it as a trusted certificate in your operating system. Just give me a minute to remember how you can do that. Commented Mar 5, 2014 at 16:00
  • @MountainX I edited :-). Commented Mar 5, 2014 at 16:04
  • Actually your error might be caused by a wrong format. Are you sure it's PEM? Commented Mar 5, 2014 at 16:08
  • The root certificate is available here: cacert.org/index.php?id=3 Should I not download it from there and install that one in my OS instead of the method you gave? Commented Mar 5, 2014 at 17:37
0

Yes, extracting the cert FROM the pkcs7 with -print_certs is correct, and if you want to trust the recipient's root use the one from cacert.org, not the cert from the pkcs7.

Some explanations/notes:

The extra lines before the cert block are no problem. openssl allows 'comment' text in PEM files before the '-----BEGIN' line (and after '-----END') although this is nonstandard and other programs often don't.

The error message about 'TRUSTED CERTIFICATE' is somewhat misleading. openssl actually allows two variants in a certificate PEM file: '[X.509] CERTIFICATE' and 'TRUSTED CERTIFICATE'. The former is standard, the latter is used only within openssl and then only rarely. openssl looks for them in that order, so if it doesn't find either the error message says TRUSTED not found. This format allows certain trust attributes in the cert file, and is different from the presence of the cert in openssl's trust store directory (or file).

openssl sime -encrypt does NOT check that the recipient cert validates against the trust store, although maybe it should. If there's any possibility the p7s/cert you received was tampered or forged, you should manually openssl verify the cert before using it, because if that cert actually has a bad guy's key instead of the good guy's, your data can be decrypted by the bad guy.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.