Oct 03, 2019  When prompted, type and verify a password for the new keypair. Your key has been generated. If you want to create a new key with more information, you should issue the command: gpg -full-generate-key. One Gpg4Win is installed and Kleopatra is running, we can generate the first PGP key-pair. Now click on File = New Certificate; Select the 'Create a personal OpenPGP key pair' option; Enter your name and emails address into the following form; Review your settings then click on the 'Create Key' button if everything is all right. Jun 30, 2018  Create Your Public/Private Key Pair and Revocation Certificate. Use gpg -full-gen-key command to generate your key pair. Gpg -full-gen-key. It asks you what kind of key you want. Notice there’re four options. The default is to create a RSA public/private key pair and also a RSA signing key. Let’s hit Enter to select the default. Feb 26, 2018  GPG is the Gnu Privacy Guard and it is an implementation of OpenPGP (Open Pretty Good Privacy). It is an encryption technique that was originally developed for use in. Jun 01, 2018  This guide will show you how to generate a GPG key, set up your computer to serve it in place of an SSH key, and put the new public key onto your server for authentication. It will also detail how to optionally move your GPG private key onto a smartcard or YubiKey to prevent authentication when the device isn’t plugged into your computer.

To communicate with others you must exchange public keys.To list the keys on your public keyring use the command-line option --list-keys.

Exporting a public key

To send your public key to a correspondent you must first export it.The command-line option --exportis used to do this.It takes an additional argument identifying the public key to export.As with the --gen-revoke option, either the key ID or any part ofthe user ID may be used to identify the key to export.

The key is exported in a binary format, but this can be inconvenientwhen the key is to be sent though email or published on a web page.GnuPG therefore supports a command-line option --armor[1]that that causes output to be generated in an ASCII-armored format similar touuencoded documents.In general, any output from GnuPG, e.g., keys, encrypted documents, andsignatures, can be ASCII-armored by adding the --armor option.

Importing a public key

A public key may be added to your public keyring with the--import option.

Once a key is imported it should be validated.GnuPG uses a powerful and flexible trust model that does not requireyou to personally validate each key you import.Some keys may need to be personally validated, however.A key is validated by verifying the key's fingerprint and then signingthe key to certify it as a valid key.A key's fingerprint can be quickly viewed with the--fingerprintcommand-line option, but in order to certify the key you must edit it.A key's fingerprint is verified with the key's owner.This may be done in person or over the phone or through any other meansas long as you can guarantee that you are communicating with the key'strue owner.If the fingerprint you get is the same as the fingerprint the key'sowner gets, then you can be sure that you have a correct copy of the key.

After checking the fingerprint, you may sign the key to validate it.Since key verification is a weak point in public-key cryptography,you should be extremely careful and always checka key's fingerprint with the owner before signing the key.

Once signed you can check the key to list the signatures on it andsee the signature that you have added.Every user ID on the key will have one or more self-signatures as wellas a signature for each user that has validated the key.

Notes

[1]

Manycommand-line options that are frequently used can also be set in aconfiguration file.

7 Creating a certificate

Contents

Now that you have found out why GnuPG is so secure(Chapter 3), and how a good passphraseprovides protection for your private key (Chapter 4),you are now ready to create your own key pair .

As we saw in Chapter 3, a key pair consists ofa public and a private key. With the addition of ane-mail address, login name etc., which youenter when creating the pair (so-called meta data), you can obtainyour private certificate with the public and private key.

This definition applies to both OpenPGP as well as S/MIME (S/MIMEcertificates correspond with a standard described as'X.509').

It would be nice if I could practice this importantstep of creating a key pair ..

Gpg Generate New Public Keys

Not to worry, you can do just that - but only with OpenPGP:

If you decide for the OpenPGP method of authentication, the 'Web of Trust', then you can practice theentire process for creating a key pair, encryption and decryption asoften as you like, until you feel very comfortable.

This 'dry run' will strengtthen your trust in Gpg4win, and the 'hotphase' of OpenPGP key pair creation will no longer be a problem foryou.

Your partner in this exercise is Adele . Adele is a testservice which is still derived from the GnuPP predecessorproject and is still in operation. In this compendium wecontinue to recommend the use of this practice robot. We would alsolike to thank the owners of gnupp.de for operating this practicerobot.

Using Adele, you can practice and test the OpenPGP key pairwhich you will be creating shortly, before you start using it in earnest.But more on that later.

Let's go!Open Kleopatra using the Windows start menu:

You will see the main Kleopatra screen -the certificate administration:

At the beginning, this overview will be empty, since you have notcreated or imported any certificates yet.

Click on File -> New Certificate.

In the following dialog you select the format for the certificate. Youcan choose from the following: OpenPGP (PGP/MIME)or X.509 (S/MIME).

The differences and common features of the two formats have already beendiscussed in Chapter 5.

This chapter of the compendium breaks off into twosections for each method at this point. Information is then combinedat the end of the Chapter.

Depending on whether you chose OpenPGP or X.509 (S/MIME), you can nowread either:

• Section 7.1:Creating an OpenPGP certificate page) or
• Section 7.2:Creating an X.509 certificateX).

7.1 Creating an OpenPGP certificate

In the certificate option dialog, click on [Createpersonal OpenPGP key pair].

Now enter your e-mail address and your name inthe following window. Name and e-mail addresswill be made publicly visible later.

You also have the option of adding a comment for the key pair. Usuallythis field stays empty, but if you are creating a key for testpurposes, you should enter 'test' so you do not forget it is a testkey. This comment becomes part of your login name, and will becomepublic just like your name and e-mail address.

If you first wish to test your OpenPGP key pair, you cansimply enter any name and fictional e-mail address, e.g.:
Heinrich Heineand heinrich@gpg4win.deEaseus data recovery wizard 10.2 license key generator.

The Advanced settings are only be required in exceptionalcases. For details, see the Kleopatra handbook (viaHelp -> Kleopatra handbook).

Click on [Next].

You will see a list of all of the main entries and settingsfor review purposes. If you are interested in the (default)expert settings, you can view these via the All detailsoption.

If everything is correct, click on [Create key].

Now to the most important part: entering yourpassphrase!

To create a key pair, you must enter your personal passphrase:

If you have read Chapter 4 you should now have aneasy-to-remember but hard to break secret passphrase. Enter it in thedialog displayed at the top.

Please note that this window may have been opened in the backgroundand is not visible at first.

If the passphrase is not secure enough because it is too short or doesnot contain any numbers or special characters, the system will tellyou.

At this point you can also enter a test passphrase or startin earnest; it's up to you.

To make sure that you did not make any typing errors, the system willprompt you to enter your passphrase twice. Always confirm your entrywith [OK].

Now your OpenPGP key pair is being created:

This may take a couple of minutes. You can assist the creation of therequired random numbers by entering information in the lower inputfield. It does not matter what you type, as the characters will not be used, only the time period between each key stroke. You can alsocontinue working with another application on your computer, which willalso slightly increase the quality of the new key pair.

As soon as the key pair creation has been successful, youwill see the following dialog:

The 40-digit 'fingerprint' of your newlygenerated OpenPGP certificate is displayed in the results text field.This fingerprint is unique anywhere in the world, i.e. no other personwill have a certificate with the same fingerprint. Actually, even at8 digits it would already be quite unlikely that the same sequence would occur twice anywhere in world. For this reason, it is often only the last 8 digits of afingerprint which are used or shown, and which are described as thekey ID. This fingerprintidentifies the identity of the certificate as well as the fingerprintof a person.

However, you do not need to remember or write down the fingerprint.You can also display it later in Kleopatra's certificate details.

Next, you can activate one or more of the following three buttons:

Creating a backup copy of your (private) certificate..

Enter the path under which your full certificate (which containsyour new key pair, hence the private and public key) should be exported:

Kleopatra will automatically select the file type and store yourcertificate as an .asc or.gpg file -depending on whether you activate or deactivate the ASCIIarmor option. /xjz-survey-remover-permission-key-generator-full.html.

For export, click on [OK].

Important: If you save the file on the hard drive, youshould copy the file to another data carrier (USB stick, disketteor CD-ROM) as soon as possible, and delete the original filewithout a trace, i.e. do not leave it in the Recycle bin! Keepthis data carrier and back-up copy in a safe place.

You can also create a back-up copy later; to do this, select thefollowing from the Kleopatra main menu:File -> Export private certificate.. (see Chapter19).

Sending a certificate via e-mail ..

Clicking on this button should create a new onee-mail -with your new public certificate in the attachment. Your secretOpen PGP key will of course not be sent. Enter arecipient e-mail address; you can also addmore text to the prepared text for this e-mail.

Please note: Not alle-mail programs support this function. Of course you can also dothis manually: If you do not see anewe-mail window, shut down thecertificate creation assistant, save your public certificate viaFile -> Export certificate and sent this filevia e-mail tothe people you are corresponding with. For more details seeSection 8.1.

Sending certificates to certificate servers..

Chapter explains howto set up a globally available OpenPGP certificate server in Kleopatra,and how you can publish your public certificate on thisserver 16.

This completes the creation of your OpenPGP certificate. End theKleopatra assistant with [Finish].

Now let's go to Section 7.3 onpage X. Starting at that point,the explanations for OpenPGP and X.509 will again be identical.

7.2 Creating an X.509 certificate

In the certificate format selection dialog on page ,X click on the button
[Create personal X.509 key pair and authenticationrequest].

In the following window, enter your name (CN = common name), youre-mail address (EMAIL), organisation (O) andyour country code (C). Optionally, you can also add your location (L =Locality) and department (OU = Organizational Unit).

If you first wish to test the X.509 key pair creationprocess, you can enter any information for name, organization andcountry code, and can also enter a fictional e-mail address, e.g.:CN=HeinrichHeine,O=Test,C=DE,EMAIL=heinrich@gpg4win.de

The Advanced settings will only be required in exceptionalcases. For details, see the Kleopatra handbook (viaHelp -> Kleopatra handbook).

Click on [Next].

You will see a list of all main entries and settings for reviewpurposes. If you are interested in the (default) expert settings,you can view these via the All details option.

Once everything is correct, click on [Creat key].

Now to the most important part: Entering your passphrase!

In order to create a key pair, you will be asked to enter yourpassphrase:

If you have read Chapter 4 you should now have aneasy-to-remember but hard to break secret passphrase. Enter it in thedialog displayed at the top!

Please note that this window may have been opened in the background,so it may not be visible at first.

If the passphrase is not secure enough because it is too short or doesnot contain any numbers or special characters, the system will let youknow.

At this point you can also enter a test passphrase or startin earnest; it's up to you.

To make sure that you did not make any typing errors, the system willprompt you to enter your passphrase twice. Finally, you will be askedto enter your passphrase a third time: By doing that, you are sendingyour certificate request to theauthenticating instance in charge. Always confirm your entries with[OK].

Now your X.509 key pair is being created:

This may take a couple of minutes. You can assist the creation of therequired random numbers by entering information in the lower inputfield. It does not matter what you type, as the characters will not be used, only the time period between each key stroke. You can alsocontinue working with other applications on your computer, which willslightly increase the quality of the key pair that is being created.

As soon as the key pair has been successfully created, youwill see the following dialog:

The next steps are triggered with the following buttons:

Save request in file..

Here, you enter the path under whichyour X.509 certificate request should be backed up, and confirmyour entry. Kleopatra will automatically add the file ending .p10during the saving process. This file can then besent to an authentication instance (in short CA for CertificateAuthority). Further below, wewill refer you to cacert.org, which is a non-commercialauthentication instance (CA) that issues X.509 certificates freeof charge.

Sending an request by e-mail ..

Thiscreates a new e-mail with the certificate requestwhich has just been created in the attachment. Enter a recippiente-mail address - usually that of yourcertificate authority in charge; you can also add more textto the prepared text of this e-mail.

Please note: Not all e-mail programs support thisfunction. Of course you can also do this manually: If you do notsee a new e-mailwindow, save your request in a file (see above)and send it by e-mail to your certificate authority (CA).

As soon as the CA has processed your request, the CA systemadministrator will send you the completed X.509 certificate, whichhas been signed by the CA. You only need to import the file intoKleopatra (see Chapter 19).

End the Kleopatra assistant with [Finish].

Creating an X509 certificate using www.cacert.org

CAcert is a non-commercial certificate authority whichissues X.509 certificates free of charge. It offers an alternative tocommercial root CAs, some of which charge very high fees for theircertificates.

To create a (client) certificate at CAcert, you first have to registerat www.cacert.org.

Immediately following registration, you can create one or more clientcertificates on cacert.org: please make sure you have sufficient keylength (e.g. 2048 bits). Use the web assistant to define a securepassphrase for your certificate.

Your client certificate is now created.

Afterwards you will receive an e-mail with twolinks to your new X.509 certificate and associated CAcert rootcertificate. Download both certificates.

Follow the instructions to install the certificate on your browser. InFirefox, you can use e.g. Edit -> Settings -> Advanced -> Certificatesto find your installed certificate under the first tab 'Yourcertificates' with the name (CN) CAcert WoT User.

You can now issue a personal X.509 certificate which has your name inthe CN field. To do this, you must have your CAcert accountauthenticated by other members of the CACert Web of Trust. Informationon obtaining such a confirmation can be found on the Internet pages ofCAcert.

Gpg Generate New Public Key Search

Then save a backup copy of your personal X.509 certificate. Theending .p12 will automatically be appliedto the backup copy.

Attention: This .p12 file contains yourpublic and your private key. Please ensure that this file isprotected againt unauthorised access.

To find out how to import your personal X.509 certificate inKleopatra, see Chapter 19.

Let's now look at Section 7.3 on thenext page. This is where explanations for OpenPGP and X.509 areidentical again.

7.3 Certificate creation process complete

This completes the creation of your OpenPGP or X.509 key pair.You now have a unique electronic key.

During the course of this compendium, we will always use an OpenPGPcertificate for sample purposes - however, all information will alsoapply accordingly to X509 certificates.

You are now back in the Kleopatra main window. The OpenPGP certificatewhich was just created can be found in the certificate administrationunder the tab My certificates:

Double-click on your new certificate to view all details related tothe certificate:

What do the certificate details mean?

Your certificate is valid indefinitely, i.e. it has no 'built-inexpiry date'. To change its validity at a later point, clickon [Change expiry date].

For more details about the certificate, seeChapter 15.

© 31. August 2010, v3.0.0-beta1 (last minor changes from 21. September 2010)
The Gpg4win Compendium is filed under theGNU Free Documentation License v1.2.

7 Creating a certificate

Contents