GPG public key created with GnuPG is rejected by MS Outlook 2010, why?
I created a GPG keypair with GnuPG on the CentOS 7 command line and I have exported the public key into a .asc
file and successfully used that public key to encrypt emails sent from another email address which have been successfully decrypted using the private key that was created along with that public key.
So how can I generate a public key file that MS Outlook 2010 will accept and be able to successfully use to encrypt emails sent to be encrypted by the same private key?
Here is what I have done so far:
Using putty, I typed
gpg --list-public-keys
at the server terminal. I noted that12321KP4
was the id of the pub key in the results ofgpg --list-public-keys
I next typed
gpg --armor --export 12321KP4 > /path/to/username_pubkey.cer
.I then typed
cat /path/to/username_pubkey.cer
and confirmed that it is in fact a bunch of encrypted content.I downloaded the resulting
username_pubkey.cer
file.I opened “Outlook 2010.”
In “Outlook > Contacts,” I opened the contact form for the contact whose certificate is
username_pubkey.cer
.On the “contact” tab, in the “show group,” I clicked “certificates,” and then clicked Import.
I selected the
username_pubkey.cer
file and clicked “open,” but got the following error dialog:
How can I generate a keyfile that Outlook can import and then successfully use to send encypted emails that can be decrypted on the other end?
Note that Thunderbird is able to do this with a keyfile from this same key. Also note that I want to manually import the key first this way, and wait until later to develop the tools to send the key by email. The private key is on a server that hosts an app, and I would have to write my own code to send out public keys by email. I want to wait to write that code until after getting this approach to work first.
EDIT
As per @JakeGould's suggestion, I typed sudo unix2dos /path/to/username_pubkey.cer /path/to/username_pubkey_dos.cer
, but I got the following in response:
unix2dos: converting file /path/to/username_pubkey.cer to DOS format ...
unix2dos: /path/to/username_pubkey_dos.cer: No such file or directory
unix2dos: Skipping /path/to/username_pubkey_dos.cer, not a regular file.
How can I resolve this?
You're confusing two different digital certificate systems. Certificates are not interchangeable between the two systems.
OpenPGP
OpenPGP provides a non-hierarchical trust system, which does not require central certificate authorities. It is the more powerful, but also more complex system. Most mail clients do not support it out of the box, and require add-ons for using it.
Everybody can create his own key, and get it signed by others.
X.509 and S/MIME
The other option for digital certificates is X.509, used in S/MIME for e-mail, but also SSL/TLS for transport encryption of HTTP and other protocols. Here you have a bunch of certificate authorities (actually usually multiple hundred) that you trust in (by default settings of your computer/mail client), and that can vouch for others (issue certifications) which you automatically trust.
This is a good fit for (hierarchically organized) companies, which probably is the reason that it has much more wide-spread implementation. Outlook, Thunderbird and most other (reasonable) mail clients support it by default.
There are lots of certificate authorities where you could buy such a certificate (valid for a given timespan). I'm only listing two especially interesting ones:
- StartSSL is an Israel-based company issuing free basic certificates for mail and servers, but without validating your real ID (only your mail address). The advantage is that they are trusted by all major browser and operating system vendors. Certificates including your real name are available for a flatrate of around 60$ per year. Be aware revoking a certificate (eg., in case some third got access to it and can now write e-mail in your name) is around 25$ (which is also charged by a lot of other companies).
-
CAcert is a "community driven certificate authority". They verify your identity by other community members agreeing to do so, so you will have to meet others and show your ID to get your name into the certificate (for details, read their website). Issuing certificates and revocations are always free, but the downside is their root certificate is not trusted by major operating systems and mail clients.
Might be feasible for limited groups or private use, but be aware of this problem if using it commercially.