Using CACert certificates with KMail on Debian

Monday, February 27, 2006 at 02:27 PM

Since I had some difficulties getting my CACert certificate integrated with KMail on Debian unstable, I wanted to share the steps I took in order to get email encryption and singing up and running. Basically you need to run gpg-agent, create the certificate with Firefox, export it to KMail and congfigure KMail to use it for encryption and signing.

  1. Setup gpg-agent

    For some reason gpg-agent is not enabled by default in Debian. Add this to your ~/.xsession to run gpg-agent when you log in:

    eval "$(gpg-agent --daemon --allow-mark-trusted)"

  2. Log out and back in

  3. Check if gpg-agent is running
    set | grep GPG_AGENT_INFO
    The output should like similar to this:
  4. Import the root certificate into kleopatra

    1. Download and save the CACert root certificate
    2. Run kleopatra
    3. File -> Import Certificates
    4. Select the saved file

  5. Create and import your personal into Firefox
    I have not been able to create a personal certificate using konqueror so far. CACert always complains about an invalid certificate request.

    1. Run firefox
    2. Import the CACert root certificate (Documentation).
    3. Create and import your personal certificate from CACert (Documentation).

  6. Export your personal certificate from Firefox

    1. Edit -> Preferences -> Advanced -> Security -> View Certificates
    2. Select your certificate and click Backup

    3. Choose a filename and password

  7. Import your personal certificate into Konqueror and Kleopatra

    1. Run konqueror
    2. Settings -> Configure Konqueror -> Crypto -> Your Certificates -> Import
    3. Choose the file exported from Firefox
    4. Enter the password
    5. Choose to make the certificate available to KMail
    6. Enter the password

    7. Choose a password to protect the certificate within Kleopatra

  8. Check if the certificate was imported

    Run gpgsm -k to list the imported certificates. The CACert root certificate and your personal certiciate should be displayed:

    Serial number: 00 Issuer: /CN=CA Cert Signing Authority
    /OU=http:\x2f\ CA
    / Subject: /CN=CA Cert Signing
    CA/ validity: 2003-03-30 12:29:49
    through 2033-03-29 12:29:49 key type: 4096 bit RSA chain
    length: unlimited
    fingerprint: 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33

    Use gpgsm -K to display your personal certiciate only.

  9. Setup kmail to use your personal certificate

    1. Run kmail
    2. Settings -> Configure KMail -> Identities -> Modify -> Cryptography

    3. Choose Change button next to S/Mime signing certificate and select your personal certificate

    4. Do the same for S/Mime encryption certificate

  10. That's it
  11. Now you should be able to send and receive signed and encrypted emails with KMail.

Entry filed under: KDE, Linux, Debian

No entries
Nothing found in the guestbook.