Mercurial Mercurial > notes / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ssl/conversion2.txt
changeset 38 68d27bdf49c9
equal deleted inserted replaced
37:889dfa7eace0 38:68d27bdf49c9 
       
     1 http://www.sysmic.org/dotclear/index.php?post/2010/03/24/Convert-keys-betweens-GnuPG%2C-OpenSsh-and-OpenSSL
 
       
     2 
       
     3 OpenSSH -> OpenSSL
 
       
     4 ==================
 
       
     5 
       
     6 OpenSSH private keys are directly understable by OpenSSL:
 
       
     7 
       
     8   openssl rsa -in ~/.ssh/id_rsa -text
 
       
     9   openssl dsa -in ~/.ssh/id_dsa -text
 
       
    10 
       
    11 So, you can directly create certification request:
 
       
    12 
       
    13   openssl req -new -key ~/.ssh/id_dsa -out mykey.csr
 
       
    14 
       
    15 OpenSSL -> OpenSSH
 
       
    16 ==================
 
       
    17 
       
    18 Private keys format is same between OpenSSL and OpenSSH, but not public key format. Nevertheless, you extract public key from private key file:
 
       
    19 
       
    20   ssh-keygen -y -f id_rsa > id_rsa.pub
 
       
    21 
       
    22 GnuPG -> OpenSSL
 
       
    23 ================
 
       
    24 
       
    25 Gpgsm utility can exports keys and certificate in PCSC12:
 
       
    26 
       
    27   gpgsm -o  secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
 
       
    28 
       
    29 You have -> extract Key and Certificates separatly:
 
       
    30 
       
    31   openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
 
       
    32   openssl pkcs12 -in secret-gpg-key.p12 -nokeys -out gpg-certs.pem
 
       
    33 
       
    34 You can now use it in OpenSSL.
 
       
    35 
       
    36 You can also do similar thing with GnuPG public keys. There will be only certificates output.
 
       
    37 
       
    38 OpenSSL -> GnuPG
 
       
    39 ================
 
       
    40 
       
    41 Invert process:
 
       
    42 
       
    43   openssl pkcs12 -export -in gpg-certs.pem -inkey gpg-key.pem -out gpg-key.p12
 
       
    44   gpgsm --import gpg-key.p12
 
       
    45 
       
    46 GnuPG -> OpenSSH
 
       
    47 ================
 
       
    48 
       
    49 Now, chain processes:
 
       
    50 
       
    51   gpgsm -o  secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
 
       
    52   openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
 
       
    53 
       
    54 We need -> protect key, else ssh refuse it.
 
       
    55 
       
    56   chmod 600 gpg-key.pem
 
       
    57   cp gpg-key.pem ~/.ssh/id_rsa
 
       
    58   ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub
 
       
    59 
       
    60 OpenSSH -> GnuPG
 
       
    61 ================
 
       
    62 
       
    63 First we need to create a certificate (self-signed) for our ssh key:
 
       
    64 
       
    65   openssl req -new -x509 -key ~/.ssh/id_rsa -out ssh-cert.pem
 
       
    66 
       
    67 We can now import it in GnuPG
 
       
    68 
       
    69   openssl pkcs12 -export -in ssh-certs.pem -inkey ~/.ssh/id_rsa -out ssh-key.p12
 
       
    70   gpgsm --import ssh-key.p12
 
       
    71 
       
    72 Notice you cannot import/export DSA ssh keys to/from GnuPG
notes