Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

pem2openpgp(1) [debian man page]

PEM2OPENPGP(1)						    BSD General Commands Manual 					    PEM2OPENPGP(1)

NAME

     pem2openpgp -- translate PEM-encoded RSA keys to OpenPGP certificates

SYNOPSIS

     pem2openpgp $USERID < mykey.pem | gpg --import

     PEM2OPENPGP_EXPIRATION=$((86400 * $DAYS)) PEM2OPENPGP_USAGE_FLAGS=authenticate,certify pem2openpgp $USERID <mykey.pem

DESCRIPTION

     pem2openpgp is a low-level utility for transforming raw, PEM-encoded RSA secret keys into OpenPGP-formatted certificates.	The generated cer-
     tificates include the secret key material, so they should be handled carefully.

     It works as an element within a pipeline: feed it the raw key on stdin, supply the desired User ID as a command line argument.  Note that you
     may need to quote the string to ensure that it is entirely in a single argument.

     Other choices about how to generate the new OpenPGP certificate are governed by environment variables.

ENVIRONMENT

     The following environment variables influence the behavior of pem2openpgp:

   PEM2OPENPGP_TIMESTAMP controls the timestamp (measured in seconds since the UNIX epoch) indicated as the creation time (a.k.a "not valid
     before") of the generated certificate (self-signature) and the key itself.  By default, pem2openpgp uses the current time.

   PEM2OPENPGP_KEY_TIMESTAMP controls the timestamp (measured in seconds since the UNIX epoch) indicated as the creation time of just the key
     itself (not the self-signature).  By default, pem2openpgp uses the value from PEM2OPENPGP_TIMESTAMP.

   PEM2OPENPGP_USAGE_FLAGS should contain a comma-separated list of valid OpenPGP usage flags (see section 5.2.3.21 of RFC 4880 for what these
     mean).  The available choices are: certify, sign, encrypt_comms, encrypt_storage, encrypt (this means both encrypt_comms and encrypt_stor-
     age), authenticate, split, shared.  By default, pem2openpgp only sets the certify flag.

   PEM2OPENPGP_EXPIRATION sets an expiration (measured in seconds after the creation time of the key) in each self-signature packet.  By default,
     no expiration subpacket is included.

   PEM2OPENPGP_NEWKEY indicates that pem2openpgp should ignore stdin, and instead generate a new key internally and build the certificate based on
     this new key.  Set this variable to the number of bits for the new key (e.g. 2048).  By default (when this is unset), pem2openpgp will read
     the key from stdin.

AUTHOR

     pem2openpgp and this man page were written by Daniel Kahn Gillmor <dkg@fifthhorseman.net>.

BUGS

     Only handles RSA keys at the moment.  It might be nice to handle DSA keys as well.

     Currently only creates certificates with a single User ID.  Should be able to create certificates with multiple User IDs.

     Currently only accepts unencrypted RSA keys.  It should be able to deal with passphrase-locked key material.

     Currently outputs OpenPGP certificates with cleartext secret key material.  It would be good to be able to lock the output with a passphrase.

     If you find other bugs, please report them at https://labs.riseup.net/code/projects/show/monkeysphere

SEE ALSO

     openpgp2ssh(1,) monkeysphere(1), monkeysphere(7), ssh(1), monkeysphere-host(8), monkeysphere-authentication(8)

BSD
								  March 1,, 2009							       BSD

Check Out this Related Man Page

NBSVTOOL(1)						    BSD General Commands Manual 					       NBSVTOOL(1)

NAME

     nbsvtool -- create and verify detached signatures of files

SYNOPSIS

     nbsvtool [-v] [-a anchor-certificates] [-c certificate-chain] [-f certificate-file] [-k private-key-file] [-u required-key-usage] command
	      args ...

DESCRIPTION

     nbsvtool is used to create and verify detached X509 signatures of files.  Private keys and certificates are expected to be PEM encoded, sig-
     natures are in PEM/SMIME format.

     Supported commands:

     sign file			       Sign file, placing the signature in file.sp7.  The options -f and -k are required for this command.

     verify file [signature]	       Verify signature for file.  If signature is not specified, file.sp7 is used.

     verify-code file [signature]      This is a short cut for verify with the option -u code.

     Supported options:

     -a anchor-certificates	   A file containing one or more (concatenated) keys that are considered trusted.

     -c certificate-chain	   A file containing additional certificates that will be added to the signature when creating one.  They will be
				   used to fill missing links in the trust chain when verifying the signature.

     -f certificate-file	   A file containing the certificate to use for signing.  The certificate must match the key given by -k.

     -k private-key-file	   A file containing the private key to use for signing.

     -u required-key-usage	   Verify that the extended key-usage attribute in the signing certificate matches required-key-usage.	Otherwise,
				   the signature is rejected.  key usage can be one of: ``ssl-server'', ``ssl-client'', ``code'', or ``smime''.

     -v 			   Print verbose information about the signing certificate.

EXIT STATUS

     The nbsvtool utility exits 0 on success, and >0 if an error occurs.

EXAMPLES

     Create signature file hello.sp7 for file hello.  The private key is found in file key, the matching certificate is in cert, additional cer-
     tificates from cert-chain are included in the created signature.
	   nbsvtool -k key -f cert -c cert-chain sign hello hello.sp7

     Verify that the signature hello.sp7 is valid for file hello and that the signing certificate allows code signing.	Certificates in
     anchor-file are considered trusted, and there must be a certificate chain from one of those certificates to the signing certificate.
	   nbsvtool -a anchor-file verify-code hello hello.sp7

SEE ALSO

     openssl_smime(1)

CAVEATS

     As there is currently no default trust anchor, you must explicilty specify one with -a, otherwise no verification can succeed.

BSD
								  March 11, 2009							       BSD
Man Page