GPG public key created with GnuPG is rejected by MS Outlook 2010, why?

gnupg encryption microsoft-outlook pgp microsoft-outlook-2010

I created a GPG keypair with GnuPG on the CentOS 7 command line and I have exported the public key into a .asc file and successfully used that public key to encrypt emails sent from another email address which have been successfully decrypted using the private key that was created along with that public key.

So how can I generate a public key file that MS Outlook 2010 will accept and be able to successfully use to encrypt emails sent to be encrypted by the same private key?

Here is what I have done so far:

  1. Using putty, I typed gpg --list-public-keys at the server terminal. I noted that 12321KP4 was the id of the pub key in the results of gpg --list-public-keys

  2. I next typed gpg --armor --export 12321KP4 > /path/to/username_pubkey.cer.

  3. I then typed cat /path/to/username_pubkey.cer and confirmed that it is in fact a bunch of encrypted content.

  4. I downloaded the resulting username_pubkey.cer file.

  5. I opened “Outlook 2010.”

  6. In “Outlook > Contacts,” I opened the contact form for the contact whose certificate is username_pubkey.cer.

  7. On the “contact” tab, in the “show group,” I clicked “certificates,” and then clicked Import.

  8. I selected the username_pubkey.cer file and clicked “open,” but got the following error dialog:

enter image description here

How can I generate a keyfile that Outlook can import and then successfully use to send encypted emails that can be decrypted on the other end?

Note that Thunderbird is able to do this with a keyfile from this same key. Also note that I want to manually import the key first this way, and wait until later to develop the tools to send the key by email. The private key is on a server that hosts an app, and I would have to write my own code to send out public keys by email. I want to wait to write that code until after getting this approach to work first.

EDIT

As per @JakeGould's suggestion, I typed sudo unix2dos /path/to/username_pubkey.cer /path/to/username_pubkey_dos.cer, but I got the following in response: 

unix2dos: converting file /path/to/username_pubkey.cer to DOS format ...
unix2dos: /path/to/username_pubkey_dos.cer: No such file or directory
unix2dos: Skipping /path/to/username_pubkey_dos.cer, not a regular file.

How can I resolve this?


You're confusing two different digital certificate systems. Certificates are not interchangeable between the two systems.

OpenPGP

OpenPGP provides a non-hierarchical trust system, which does not require central certificate authorities. It is the more powerful, but also more complex system. Most mail clients do not support it out of the box, and require add-ons for using it.

Everybody can create his own key, and get it signed by others.

X.509 and S/MIME

The other option for digital certificates is X.509, used in S/MIME for e-mail, but also SSL/TLS for transport encryption of HTTP and other protocols. Here you have a bunch of certificate authorities (actually usually multiple hundred) that you trust in (by default settings of your computer/mail client), and that can vouch for others (issue certifications) which you automatically trust.

This is a good fit for (hierarchically organized) companies, which probably is the reason that it has much more wide-spread implementation. Outlook, Thunderbird and most other (reasonable) mail clients support it by default.

There are lots of certificate authorities where you could buy such a certificate (valid for a given timespan). I'm only listing two especially interesting ones:

  • StartSSL is an Israel-based company issuing free basic certificates for mail and servers, but without validating your real ID (only your mail address). The advantage is that they are trusted by all major browser and operating system vendors. Certificates including your real name are available for a flatrate of around 60$ per year. Be aware revoking a certificate (eg., in case some third got access to it and can now write e-mail in your name) is around 25$ (which is also charged by a lot of other companies).

  • CAcert is a "community driven certificate authority". They verify your identity by other community members agreeing to do so, so you will have to meet others and show your ID to get your name into the certificate (for details, read their website). Issuing certificates and revocations are always free, but the downside is their root certificate is not trusted by major operating systems and mail clients.

    Might be feasible for limited groups or private use, but be aware of this problem if using it commercially.

Related

Change the color of specific words in Microsoft Word/Publisher
How/where does a GoPro camera store HiLight tags?
Stop Windows 7 From Automatically Adjusting Recording Device Audio Levels [duplicate]
In Toad for Oracle's Schema Browser, my Tables list is empty
Bad owner or permissions on /root/.ssh/config
How to update/install zoneinfo timezone database on CentOS?
ansible playbook, different user by operating system
Active Directory delegation best practices
How important is patch management? [duplicate]
How to make sendmail accept connections from localhost only
why apt is not installing dependencies on Wheezy?
svnserve seems to write files as root. How can I give access to the same repository via svnserve and apache?