I need to send a private key file to someone (a trusted sysadmin) securely. I suggested a couple options, but he replied as follows:
Hi, I don't have neither LastPass nor GnuPGP but I'm using ssl
certificates – this message is signed with such so you will be able to
send a message to me and encrypt it with my public key.
I used openssl to obtain his certificate:
openssl pkcs7 -in smime.p7s -inform DER -print_certs
The certificate is issued by:
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
(Firefox doesn't have a root certificate from cacert.org.)
Now, how do I encrypt the key file I wish to send to him? I prefer to use a command line tool available in Ubuntu.
@lgeorget:
$ openssl pkcs7 -inform DER -outform PEM -in smime.p7s -out smime.pem
$ openssl smime -encrypt -text -in /home/myuser/.ssh/mykeyfile smime.pem
unable to load certificate
139709295335072:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
and
$ openssl pkcs7 -in smime.p7s -inform DER -print_certs
subject=/CN=Wojciech Kapcia/emailAddress=someone@example.com/emailAddress=someone@example.com
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-----BEGIN CERTIFICATE-----
MIIFzjCCA7agAwIBAgIDDR9oMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
dEBjYWNlcnQub3JnMB4XDTEzMDQxODA3NDEzNFoXDTE1MDQxODA3NDEzNFowcDEY
MBYGA1UEAxMPV29qY2llY2ggS2FwY2lhMSkwJwYJKoZIhvcNAQkBFhp3b2pjaWVj
[snip]
N1lNLq5jrGhqMzA2ge57cW2eDgCL941kMmIPDUyx+pKAYj1I7IibN3wcP1orOys3
amWMrFRa30LBu6jPYy2TeeoQetKnabefMNE3Jv81gn41mPOs3ToPXEUmYU18VZ75
Efd/qu4SV/3SMdySSNmPAVQdXYAxBEXoN5b5FpUW7KeZnjoX4fkEUPeBnNwcptTC
d1w=
-----END CERTIFICATE-----
Best Answer
You can do
where
<file>
is the file you want to encrypt. If the filesmime.p7s
is in DER format instead of PEM, you will have to convert it with :You obtain a file you can send to your sysadmin. If you are brave enough you can remove
-text
and play with the option-to
,-subject
, etc. to get a valid email file you can directly send to a SMTP server.If the root certificate of the certificate you use to encrypt is not recognized by your operating system but YOU trust it, you can add it to the certificate base.
The certificate must have the
.crt
extension. Details here.