KMail/S MIME

From KDE UserBase Wiki

For a user with a startcom ssl certificate that needs to be imported into Kmail it is necessary to set up gpgsm to prepare the certificate so that it is trusted and available to be imported into Kmail before s/mime signing and encryption can be used. Without doing the set of preparatory procedures below Kmail will not accept the certificate and s/mime cannot be used.

It is gpgsm that is the ssl certificate backend handler in Kmail. First it is necessary to extract the keys and output to a .pem file

openssl pkcs12 -in startcom-private-2013 -out startcom-private-2013.pem -nodes 

where the certificate names need to be changed to match your own filenames.

Now export the private key to a new .p12 cert file

openssl pkcs12 -in startcom-private-2013.pem -export -out startcom-private-2013.p12 -nocerts -nodes 

Import the key into gpgsm

gpgsm --import startcom-private-2013.p12 

During the above you need the passphrase to open the certificate file, and also to create the new one during export.

Now one has to add the issuer certificates (CA + intermediate CA) into gpgsm if they are not already there. In a default arch linux KDE system these will not be present so this step is essential.

The following command will add about 100 CA certificates or more from the ca-certificates package, but you could also only add the specific CA's for your certificate if you want.

$ gpgsm --import /usr/share/ca-certificates/mozilla/* 

You will need to set the trust level and confirm key fingerprints for each one! Now check if your own key has been added:

$ gpgsm --list-secret-keys 

Make sure that .gnupg/gpgsm.conf has the correct content:

$ cat .gnupg/gpgsm.conf

###+++--- GPGConf ---+++###
debug-level basic
log-file socket:///home/mike/.gnupg/log-socket
###+++--- GPGConf ---+++### Fri 18 Oct 2013 17:43:12 BST
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.
include-certs -1  # this will include all certificates in the chain up to the root
default-key xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
# my private key is default 

Add default key to the file as above using the fingerprint from the previous list.

Now add the fingerprints to the trust file: Make sure that option "allow-mark-trusted" is in gpg-agent.conf

$ cat .gnupg/gpg-agent.conf
#
# gpg agent 
#
pinentry-program /usr/bin/pinentry-gtk
no-grab
# GPGConf disabled this option here at Wed 10 Aug 2005 11:17:28 AM EDT
# default-cache-ttl 1800


###+++--- GPGConf ---+++###
default-cache-ttl 14400
debug-level basic
log-file socket:///home/mike/.gnupg/log-socket
###+++--- GPGConf ---+++### Thu 17 Oct 2013 19:40:20 BST
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.
#use-agent
#log-file /home/mike/Documents/gpg_stuff/new/gpg.log
allow-mark-trusted 

Now execute the following to add the list of keys to the trust file:

gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' >> ~/.gnupg/trustlist.txt 

(the command will append, not overwrite, the old file) Only once all of the above has been done will Kmail then will allow the private ssl certificate to be selected to be used for s/mime in the cryptography section of the identity data once "modify" is selected.

If using a self signed ssl certificate some steps from the above may need to be different.

Within Kmail the keys can be managed using Kleopatra. Now signing and encryption is possible in kmail.