Scute wird unter Windows am einfachsten mit GPG4Win installiert (Scute ist in GPG4Win enthalten). Unter Linux muss Scute kompiliert und manuell installiert werden. Dies ist jedoch recht einfach, was die folgenden Anleitung unter Ubuntu beschreibt:
Zunächst müssen die folgenden Pakete installiert werden: sudo apt-get install libgpg-error-dev libassuan-dev gnupg2 pinentry-gtk2 (Unter Kubuntu wie folgt: sudo apt-get install libgpg-error-dev libassuan-dev gnupg2 pinentry-qt)
Dann gilt es Scute herunterzuladen wget ftp://ftp.gnupg.org/gcrypt/scute/scute-1.2.0.tar.bz2
und zu entpacken tar xvfj scute-1.2.0.tar.bz2
Scute lässt sich wie üblich kompilieren und installieren:
cd scute-1.2.0 ./configure make sudo make install
Anschließend finden sich einige Scute-Dateien in /usr/local/lib. (Die folgenden Schritte dieses Absatzes sind hier ausführlicher beschrieben) Öffne Firefox und wähle im Menü "Bearbeiten" / "Einstellungen" / "Erweitert" / "Kryptographie-Module". Drücke auf "Laden", schreibe als Modulnamen "Scute" und wähle die Datei /usr/local/lib/libscute.so aus. Nach dem Bestätigen (und evtl. einem Neustart von Firefox) sollte Scute als Kryptographie-Modul angezeigt werden. Nun muss nur noch der Crypto Stick und die Zertifikate eingerichtet werden.
Die folgende Anleitung gilt für Linux und basiert auf der offiziellen Dokumentation, wobei einige Korrekturen vorgenommen wurden. Unter Windows ist statt dem Skript gpgsm-gencert.sh das Programm gpgsm ab Version 2.0.13 zu verwenden. Dieses ist nicht im aktuellen GPG4Win enthalten und muss daher manuell kompiliert werden. Im Folgenden ist der Text "Dein Name" durch Deinen Vor- und Nachnamen zu ersetzen (bzw. "dein.name" und "Vorname").
To use an OpenPGP card with Scute, it first has to be initialized by generating or loading a key on the card, see the OpenPGP Card How-To. Then a certificate has to be created and imported into GPGSM. This task involves three steps: First, a certificate signing request (CSR) has to be created that matches the key on the card. This certificate signing request then has to be submitted to a certificate authority (CA), which will create the certificate and send it back to you. At last, the certificate has to be imported into GPGSM. This section will explain all of these steps in detail.
Before you start, make sure that the GPG Agent is running. (A functional installation of GnuPG 2.0 requires a running GPG Agent process, which must be advertised to the applications via the GPG_AGENT_INFO environment variable). There is no need to configure GPGSM, so you can create a CSR with the command:
$ gpgsm-gencert.sh > dein-name.p10
Key type
[1] RSA
[2] Existing key
[3] Direct from card
Your selection: 3
You selected: Direct from cardAs we create a certificate for the OpenPGP Card, the option “[3] Direct from card” should be selected.
Card with S/N D27600012401010100010000051B0000 found
gpg-agent uses OPENPGP.3 as ssh key
Select key
[1] OPENPGP.1
[2] OPENPGP.2
[3] OPENPGP.3
[4] back
Your selection: 3
You selected: OPENPGP.3
Key usage
[1] sign, encrypt
[2] sign
[3] encrypt
Your selection: 2
You selected: signThe only operation currently supported is client authentication. For this, the authentication key has to be selected. This is the third key on the card, so the options “[3] OPENPGP.3” and “[2] sign” should be chosen. Note that the key usage is only advisory, and the CA may assign different capabilities.
Name (DN)
> CN=Dein Name,OU="Webserver Team",O="Snake Oil, Ltd",L="Snake Town",ST="Snake Desert",C=XY
E-Mail addresses (end with an empty line)
> dein.name@example.com
E-Mail addresses (end with an empty line)
>
DNS Names (optional; end with an empty line)
>
URIs (optional; end with an empty line)
>As a last step, the common name and e-mail address of the key owner need to be specified by you. The above are only an example for a fictious person working at a fictious company. DNS names are only meaningful for server certificates and thus should be left empty.
We have now entered all required information and gpgsm will display what it has gathered and ask whether to create the certificate request:
Parameters for certificate request to create:
1 Key-Type: card:OPENPGP.3
2 Key-Length:
3 Key-Usage: sign
4 Name-DN: CN=Dein Name,OU="Webserver Team",O="Snake Oil, Ltd",L="Snake Town",ST="Snake Desert",C=XY
5 Name-Email: dein.name@example.com
Really create such a CSR?
[1] yes
[2] no
Your selection: 1
You selected: yesGPGSM will now start working on creating the request. During this time you will be asked once for a passphrase to unprotect the authentication key on the card. A pop up window will appear to ask for it.
When it is ready, you should see the final notice:
gpgsm: certificate request created
Now, you may look at the created request:
$ cat dein-name.p10
-----BEGIN CERTIFICATE REQUEST-----
MIICCDCCAXECAQAwgYExCzAJBgNVBAYTAlhZMRUwEwYDVQQIEwxTbmFrZSBEZXNl
cnQxEzARBgNVBAcTClNuYWtlIFRvd24xFzAVBgNVBAoTDlNuYWtlIE9pbCwgTHRk
MRcwFQYDVQQLEw5XZWJzZXJ2ZXIgVGVhbTEUMBIGA1UEAxMLRmxvcHB5IEhlYWQw
gaAwDQYJKoZIhvcNAQEBBQADgY4AMIGKAoGBANWaM9YS89AOx3GX1Rua+4DUHwbL
wt0rBYdBddlabMMteVjUcOOhbFMirLpLAi1S8fUXNiy84ysOmFStmvSIXDsAgXq5
1ESOU4SNg2zEkPDF1WYJ5BFIXdYq9i2k5W7+ctV8PkKv3e5IeYXTa5qppIPD31de
gM8Qj7tK0hL/eNCfAgQAAQABoEUwQwYJKoZIhvcNAQkOMTYwNDAiBgNVHREEGzAZ
gRdmbG9wcHkuaGVhZEBleGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCBsAwDQYJKoZI
hvcNAQEFBQADgYEAFC9q6+ib9YGCLB/2AlZR+/dvb+pEeXR1EbpV/dw/gjP1yPY6
29n8ZIDLUvQvNCtfCcXFxFimVSSB/KmFXXsJbM+NXQyT6Ocn34iHmkf9IVRMWQWg
ZBYfQVeXAd7XlxI6d1wXDLwD/26lTU/rH2JU6H1+zSfZxqwVC4Iu+kiN4Y8=
-----END CERTIFICATE REQUEST-----
$The next step is to submit this certificate request to the CA, which can then create a certificate and send it back to you.
If, for example, you use the CA CAcert, then you can log into your account at the CAcert website, choose "client certificates", "new", check "advanced options", paste the above request block into the text field and click on “Submit”. If everything works correctly, a certificate will be shown, which you can cut and paste into a new file dein-name.crt.
Alternatively if, for example, you set up your own CA with OpenSSL, then you can create your own certificate by issueing a command similar openssl ca -in dein-name.p10 -cert snakeoil-ca-rsa.crt -keyfile snakeoil-ca-rsa.key -out dein-name.crt. Please see the OpenSSL documentation for more details on how to set up and administrate a certificate authority infrastructure.
In any way you should end up with a certificate file dein-name.crt,
It is recommended that you import the root certificate of the CA first in the same fashion. For CAcert you do this by downloading the class 3 certificate and importing it:
$ wget http://www.cacert.org/certs/class3.txt
$ gpgsm --import class3.txt
gpgsm: certificate imported
gpgsm: total number processed: 1
gpgsm: imported: 1Your certificate file dein-name.crt, has to be imported into GPGSM:
$ gpgsm --import dein-name.crt
gpgsm: certificate imported
gpgsm: total number processed: 1
gpgsm: imported: 1gpgsm tells you that it has imported the certificate. It is now associated with the key you used when creating the request. To see the content of your certificate, you may now enter:
$ gpgsm -K Vorname
/home/foo/.gnupg/pubring.kbx
---------------------------
Serial number: 10
Issuer: /CN=Snake Oil CA/OU=Certificate Authority/O=Snake Oil, Ltd/L=Snake Town/ST=Snake Desert/C=XY/EMail=ca@snakeoil.dom
Subject: /CN=Dein Name Head/OU=Webserver Team/O=Snake Oil, Ltd/ST=Snake Desert/C=XY
validity: 2006-11-11 14:09:12 through 2007-11-11 14:09:12
key type: 1024 bit RSA
fingerprint: EC:93:A2:55:C6:58:7F:C9:9E:96:DB:12:6E:64:99:54:BB:E1:94:68The option “-K” is used above because this will only list certificates for which a private key is available. To see more details, you may use “--dump-secret-keys” instead of “-K”.
