Configuration based on https://pki-tutorial.readthedocs.io/en/latest/simple/index.html, but leaving out the intermediate subordinate CA and tinkering around with extensions and policies.
To generate a default SMIME CSR, just run make. To specify the file name of
the csr, enter the slightly more verbose
make certs/your-cert-name-here.csrThen send the CSR to the one playing Root CA. Put the returned certificate file
your-cert-name-here.crt into the certs directory, and generate a PKCS#12 file
via
make certs/your-cert-name-here.p12Then import the p12 file via gpgsm --import certs/your-cert-name-here.p12.
Note that this generates classical 4096bit RSA keys and certificates, which
should be supported by a wide range of mail clients. If you want to generated
newer RSA-PSS certificates, prefix your certificate name with rsapss_ like so:
make certs/rsapss_your-cert-name-here.p12Note that support for checking RSA-PSS signatures might not be that widespread, though.
If you want to be the root, run
make root-ca/ca.crtThe root certificate will always be a 4096bit RSA certificate.
You may want to change the PKI name (both in root-ca.conf and smime-req.conf) and the Authority Information Access URI in the Root CA configuration.
If you are going to make use of CRLs and want to make them available at an URI,
change the crl_distribution_point variable defined in the root_ca section of
root-ca.conf.
To sign CSRs, put those into the certs directory and run
make certs/csr-name.crtsend the resulting csr-name.crt to the requester.
To generate CRLs, run
make root-ca/ca.crlRevoke certificates by
openssl ca -config config/root-ca.conf -revoke root-ca/${CERT_SERIAL}.pem -crl_reason supersededwhere CERT_SERIAL contains the serial number of the certificate that should be
revoked. Also adapt the CRL reason according to your needs. Regenerate the CRL
afterwards and publish it accordingly.
These files are licensed under the MIT license. This work is based on https://pki-tutorial.readthedocs.io/en/latest/simple/index.html, Stefan H. Holek, 2014.