notes: ssl/conversion2.txt@68d27bdf49c9 (annotated)

38 68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	1	http://www.sysmic.org/dotclear/index.php?post/2010/03/24/Convert-keys-betweens-GnuPG%2C-OpenSsh-and-OpenSSL
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	2
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	3	OpenSSH -> OpenSSL
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	4	==================
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	5
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	6	OpenSSH private keys are directly understable by OpenSSL:
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	7
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	8	openssl rsa -in ~/.ssh/id_rsa -text
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	9	openssl dsa -in ~/.ssh/id_dsa -text
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	10
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	11	So, you can directly create certification request:
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	12
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	13	openssl req -new -key ~/.ssh/id_dsa -out mykey.csr
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	14
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	15	OpenSSL -> OpenSSH
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	16	==================
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	17
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	18	Private keys format is same between OpenSSL and OpenSSH, but not public key format. Nevertheless, you extract public key from private key file:
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	19
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	20	ssh-keygen -y -f id_rsa > id_rsa.pub
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	21
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	22	GnuPG -> OpenSSL
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	23	================
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	24
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	25	Gpgsm utility can exports keys and certificate in PCSC12:
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	26
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	27	gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	28
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	29	You have -> extract Key and Certificates separatly:
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	30
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	31	openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	32	openssl pkcs12 -in secret-gpg-key.p12 -nokeys -out gpg-certs.pem
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	33
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	34	You can now use it in OpenSSL.
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	35
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	36	You can also do similar thing with GnuPG public keys. There will be only certificates output.
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	37
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	38	OpenSSL -> GnuPG
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	39	================
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	40
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	41	Invert process:
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	42
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	43	openssl pkcs12 -export -in gpg-certs.pem -inkey gpg-key.pem -out gpg-key.p12
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	44	gpgsm --import gpg-key.p12
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	45
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	46	GnuPG -> OpenSSH
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	47	================
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	48
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	49	Now, chain processes:
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	50
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	51	gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	52	openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	53
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	54	We need -> protect key, else ssh refuse it.
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	55
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	56	chmod 600 gpg-key.pem
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	57	cp gpg-key.pem ~/.ssh/id_rsa
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	58	ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	59
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	60	OpenSSH -> GnuPG
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	61	================
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	62
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	63	First we need to create a certificate (self-signed) for our ssh key:
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	64
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	65	openssl req -new -x509 -key ~/.ssh/id_rsa -out ssh-cert.pem
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	66
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	67	We can now import it in GnuPG
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	68
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	69	openssl pkcs12 -export -in ssh-certs.pem -inkey ~/.ssh/id_rsa -out ssh-key.p12
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	70	gpgsm --import ssh-key.p12
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	71
68d27bdf49c9 ssl conversions Tomas Zeman <tzeman@volny.cz> parents: diff changeset	72	Notice you cannot import/export DSA ssh keys to/from GnuPG

author	Tomas Zeman <tzeman@volny.cz>
	Fri, 18 Jul 2014 15:48:34 +0200
changeset 38	68d27bdf49c9
permissions	-rw-r--r--