[Modules] mod_gnutls pgp key and certificate

Simon Josefsson simon at josefsson.org
Mon Sep 29 03:40:48 EDT 2008

Jack Bates <ms419 at freezone.co.uk> writes:

> I want to try mod_gnutls with PGP key and certificate. I tried the
> following steps to generate key.asc and cert.asc, for use with
> GnuTLSPGPKeyFile and GnuTLSPGPCertificateFile:
> ket% gpg --homedir ~/trash/.gnupg --gen-key
> gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> gpg: directory `/home/jablko/trash/.gnupg' created
> gpg: new configuration file `/home/jablko/trash/.gnupg/gpg.conf' created
> gpg: WARNING: options in `/home/jablko/trash/.gnupg/gpg.conf' are not
> yet active during this run
> gpg: keyring `/home/jablko/trash/.gnupg/secring.gpg' created
> gpg: keyring `/home/jablko/trash/.gnupg/pubring.gpg' created
> Please select what kind of key you want:
>    (1) DSA and Elgamal (default)
>    (2) DSA (sign only)
>    (5) RSA (sign only)
> Your selection?
> [...]
> ket% gpg --homedir ~/trash/.gnupg --export-secret-keys -a -o key.asc
> ket% gpg --homedir ~/trash/.gnupg --export -a -o cert.asc
> Here is my httpd.conf:
> http://cgi.sfu.ca/~jdbates/tmp/mod-gnutls/200809280/httpd.conf
> - but when I start Apache, it complains:
> ket% /usr/sbin/apache2 -f httpd.conf
> Syntax error on line 16 of httpd.conf-gpg:
> GnuTLS: Failed to Import PGP Private Key '/home/jablko/trash/key.asc':
> (-59) GnuTLS internal error.
> ket% 
> I assume that I am not generating my PGP key and certificate correctly,
> but I have been over the documentation at:
> http://www.outoforder.cc/projects/apache/mod_gnutls/docs/
> - and the documentation in the source directory, but have not yet
> figured out the correct steps for generating PGP key and certificate
> files for mod_gnutls.
> What are the steps to generate PGP key and certificate files for
> mod_gnutls? Are they documented somewhere that I missed?

Possibly gpg doesn't export the secret keys, just dummies?  Recent
GnuTLS 2.5.x contains code that parses these keys correctly.  Before you
did get a -59 error, since the gnutls 2.4.x code didn't support the
GnuPG OpenPGP extension in this area.  Maybe Daniel Kahn Gillmor
<dkg at fifthhorseman.net> can help you more, he wrote the support for this
OpenPGP extension.


More information about the Modules mailing list