diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | doc/Makefile.am | 2 | ||||
| -rw-r--r-- | doc/howto-create-a-server-cert.texi | 177 | ||||
| -rw-r--r-- | doc/tools.texi | 37 | ||||
| -rw-r--r-- | tools/Makefile.am | 3 | ||||
| -rwxr-xr-x | tools/gpgsm-gencert.sh | 203 |
7 files changed, 85 insertions, 339 deletions
diff --git a/.gitignore b/.gitignore index a525f1485..dd3d03124 100644 --- a/.gitignore +++ b/.gitignore @@ -67,7 +67,6 @@ doc/gpg-zip.1 doc/gpg2.1 doc/gpgconf.1 doc/gpgparsemail.1 -doc/gpgsm-gencert.sh.1 doc/gpgsm.1 doc/gpgv2.1 doc/scdaemon.1 @@ -1,6 +1,7 @@ Noteworthy changes in version 2.1.7 (unreleased) ------------------------------------------------ + * dropped deprecated gpgsm-gencert.sh Noteworthy changes in version 2.1.6 (2015-07-01) ------------------------------------------------ diff --git a/doc/Makefile.am b/doc/Makefile.am index 3ea19ad87..3ed3057cd 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -71,7 +71,7 @@ myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \ myman_pages = gpg2.1 gpgsm.1 gpg-agent.1 dirmngr.8 scdaemon.1 gpgv2.1 \ watchgnupg.1 gpgconf.1 addgnupghome.8 gpg-preset-passphrase.1 \ gpg-connect-agent.1 gpgparsemail.1 symcryptrun.1 \ - gpgsm-gencert.sh.1 applygnupgdefaults.8 gpg-zip.1 \ + applygnupgdefaults.8 gpg-zip.1 \ dirmngr-client.1 man_MANS = $(myman_pages) gnupg.7 diff --git a/doc/howto-create-a-server-cert.texi b/doc/howto-create-a-server-cert.texi index ce6dd2f47..496c9eeb3 100644 --- a/doc/howto-create-a-server-cert.texi +++ b/doc/howto-create-a-server-cert.texi @@ -7,18 +7,17 @@ actually been done this way to get a certificate from CAcert to be used on a real server. It has only been tested with this CA, but there shouldn't be any problem to run this against any other CA. -Before you start, make sure that gpg-agent is running. As there is no -need for a configuration file, you may simply enter: +We start by generating an X.509 certificate signing request. As there +is no need for a configuration file, you may simply enter: @cartouche @example - $ gpgsm-gencert.sh >a.p10 - Key type - [1] RSA - [2] Existing key - [3] Direct from card - Your selection: 1 - You selected: RSA + $ gpgsm --gen-key >example.com.cert-req.pem + Please select what kind of key you want: + (1) RSA + (2) Existing key + (3) Existing key from card + Your selection? 1 @end example @end cartouche @@ -32,39 +31,36 @@ Let's continue: @cartouche @example - Key length - [1] 1024 - [2] 2048 - Your selection: 1 - You selected: 1024 + What keysize do you want? (2048) + Requested keysize is 2048 bits @end example @end cartouche -The script offers two common key sizes. With the current setup of -CAcert, it does not make much sense to use a 2k key; their policies need -to be revised anyway (a CA root key valid for 30 years is not really -serious). +Hitting enter chooses the default RSA key size of 2048 bits. Smaller +keys are too weak on the modern Internet. If you choose a larger +(stronger) key, your server will need to do more work. @cartouche @example - Key usage - [1] sign, encrypt - [2] sign - [3] encrypt - Your selection: 1 - You selected: sign, encrypt + Possible actions for a RSA key: + (1) sign, encrypt + (2) sign + (3) encrypt + Your selection? 1 @end example @end cartouche -We want to sign and encrypt using this key. This is just a suggestion -and the CA may actually assign other key capabilities. +Selecting ``sign'' enables use of the key for Diffie-Hellman key +exchange mechanisms (DHE and ECDHE) in TLS, which are preferred +because they offer forward secrecy. Selecting ``encrypt'' enables RSA +key exchange mechanisms, which are still common in some places. +Selecting both enables both key exchange mechanisms. Now for some real data: @cartouche @example - Name (DN) - > CN=kerckhoffs.g10code.com + Enter the X.509 subject name: CN=example.com @end example @end cartouche @@ -74,13 +70,13 @@ server names later. @cartouche @example - E-Mail addresses (end with an empty line) + E-Mail addresses (end with an empty line): > @end example @end cartouche -We don't need email addresses in a server certificate and CAcert would -anyway ignore such a request. Thus just hit enter. +We don't need email addresses in a TLS server certificate and CAcert +would anyway ignore such a request. Thus just hit enter. If you want to create a client certificate for email encryption, this would be the place to enter your mail address @@ -89,22 +85,21 @@ however the CA may not accept them all or reject the entire request. @cartouche @example - DNS Names (optional; end with an empty line) - > www.g10code.com - DNS Names (optional; end with an empty line) - > ftp.g10code.com - DNS Names (optional; end with an empty line) + Enter DNS names (optional; end with an empty line): + > example.com + > www.example.com > @end example @end cartouche -Here I entered the names of the servers which actually run on the -machine given in the DN above. The browser will accept a certificate for -any of these names. As usual the CA must approve all of these names. +Here I entered the names of the services which the machine actually +provides. You almost always want to include the canonical name here +too. The browser will accept a certificate for any of these names. As +usual the CA must approve all of these names. @cartouche @example - URIs (optional; end with an empty line) + URIs (optional; end with an empty line): > @end example @end cartouche @@ -112,25 +107,30 @@ any of these names. As usual the CA must approve all of these names. It is possible to insert arbitrary URIs into a certificate; for a server certificate this does not make sense. +@cartouche +@example + Create self-signed certificate? (y/N) +@end example +@end cartouche + +Since we are creating a certificate signing request, and not a full +certificate, we answer no here, or just hit enter for the default. + We have now entered all required information and @command{gpgsm} will display what it has gathered and ask whether to create the certificate request: @cartouche @example - Parameters for certificate request to create: - 1 Key-Type: RSA - 2 Key-Length: 1024 - 3 Key-Usage: sign, encrypt - 4 Name-DN: CN=kerckhoffs.g10code.com - 5 Name-DNS: www.g10code.com - 6 Name-DNS: ftp.g10code.com - - Really create such a CSR? - [1] yes - [2] no - Your selection: 1 - You selected: yes + These parameters are used: + Key-Type: RSA + Key-Length: 2048 + Key-Usage: sign, encrypt + Name-DN: CN=example.com + Name-DNS: example.com + Name-DNS: www.example.com + + Proceed with creation? (y/N) y @end example @end cartouche @@ -146,6 +146,7 @@ When it is ready, you should see the final notice: @cartouche @example gpgsm: certificate request created + Ready. You should now send this request to your CA. @end example @end cartouche @@ -153,17 +154,22 @@ Now, you may look at the created request: @cartouche @example - $ cat a.p10 + $ cat example.com.cert-req.pem -----BEGIN CERTIFICATE REQUEST----- - MIIBnzCCAQgCAQAwITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCB - nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVyg - HtB7kr+YISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlS - wFTALLX78GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkm - Bj5cNy+YMbGVldECAwEAAaA+MDwGCSqGSIb3DQEJDjEvMC0wKwYDVR0RBCQwIoIP - d3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5jb20wDQYJKoZIhvcNAQEFBQAD - gYEAzBRIi8KTfKyebOlMtDN6oDYBOv+r9A4w3u/Z1ikjffaiN1Bmd2o9Ez9KXKHA - IezLeSEA/rGUPN5Ur5qIJnRNQ8xrS+iLftr8msWQSZppVnA/vnqMrtqBUpitqAr0 - eYBmt1Uem2Y3UFABrKPglv2xzgGkrKX6AqmFoOnJWQ0QcTw= + MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3 + DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW + h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC + Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW + GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm + DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n + xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq + hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs + ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN + b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ + hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D + bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk + VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3 + k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU= -----END CERTIFICATE REQUEST----- $ @end example @@ -189,26 +195,7 @@ followed by a Ctrl-D @example -----BEGIN CERTIFICATE----- MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl - cnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQD - ExNDQWNlcnQgQ2xhc3MgMyBSb290MB4XDTA1MTAyODE2MjA1MVoXDTA3MTAyODE2 - MjA1MVowITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCBnzANBgkq - hkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVygHtB7kr+Y - ISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlSwFTALLX7 - 8GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkmBj5cNy+Y - MbGVldECAwEAAaOBtTCBsjAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUF - BwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIF - oDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy - dC5vcmcwKwYDVR0RBCQwIoIPd3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5j - b20wDQYJKoZIhvcNAQEEBQADggIBAAj5XAHCtzQR8PV6PkQBgZqUCbcfxGO/ZIp9 - aIT6J2z0Jo1OZI6KmConbqnZG9WyDlV5P7msQXW/Z9nBfoj4KSmNR8G/wtb8ClJn - W8s75+K3ZLq1UgEyxBDrS7GjtbVaj7gsfZsuiQzxmk9lbl1gbkpJ3VEMjwVCTMlM - fpjp8etyPhUZqOZaoKVaq//KTOsjhPMwz7TcfOkHvXketPrWTcefJQU7NKLH16D3 - mZAwnBxp3P51H6E6VG8AoJO8xCBuVwsbXKEf/FW+tmKG9pog6CaZQ9WibROTtnKj - NJjSBsrUk5C+JowO/EyZRGm6R1tlok8iFXj+2aimyeBqDcxozNmFgh9F3S5u0wK0 - 6cfYgkPVMHxgwV3f3Qh+tJkgLExN7KfO9hvpZqAh+CLQtxVmvpxEVEXKR6nwBI5U - BaseulvVy3wUfg2daPkG17kDDBzQlsWC0BRF8anH+FWSrvseC3nS0a9g3sXF1Ic3 - gIqeAMhkant1Ac3RR6YCWtJKr2rcQNdDAxXK35/gUSQNCi9dclEzoOgjziuA1Mha - 94jYcvGKcwThn0iITVS5hOsCfaySBLxTzfIruLbPxXlpWuCW/6I/7YyivppKgEZU + [...] rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs Rtct3tIX -----END CERTIFICATE----- @@ -229,19 +216,19 @@ To see the content of your certificate, you may now enter: @cartouche @example - $ gpgsm -K kerckhoffs.g10code.com + $ gpgsm -K example.com /home/foo/.gnupg/pubring.kbx --------------------------- Serial number: 4C Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...] - Subject: /CN=kerckhoffs.g10code.com - aka: (dns-name www.g10code.com) - aka: (dns-name ftp.g10code.com) - validity: 2005-10-28 16:20:51 through 2007-10-28 16:20:51 - key type: 1024 bit RSA + Subject: /CN=example.com + aka: (dns-name example.com) + aka: (dns-name www.example.com) + validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51 + key type: 2048 bit RSA key usage: digitalSignature keyEncipherment ext key usage: clientAuth (suggested), serverAuth (suggested), [...] - fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:19:D8:E9:65:B9:BD:4F:B1:98:CC:57 + fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57 @end example @end cartouche @@ -256,7 +243,7 @@ certificate. To create such a file, run: @cartouche @example - $ gpgsm --export-secret-key-p12 -a >kerckhoffs-cert.pem + $ gpgsm --export-secret-key-p12 -a >example.com-cert.pem @end example @end cartouche @@ -266,12 +253,12 @@ certificate as well as the private key: @cartouche @example - $ cat kerckhoffs-cert.pem + $ cat example-cert.pem Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...] Serial ...: 4C - Subject ..: /CN=kerckhoffs.g10code.com - aka ..: (dns-name www.g10code.com) - aka ..: (dns-name ftp.g10code.com) + Subject ..: /CN=example.com + aka ..: (dns-name example.com) + aka ..: (dns-name www.example.com) -----BEGIN PKCS12----- MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu diff --git a/doc/tools.texi b/doc/tools.texi index a067eb66f..1dd1b35e9 100644 --- a/doc/tools.texi +++ b/doc/tools.texi @@ -15,7 +15,6 @@ GnuPG comes with a couple of smaller tools: * addgnupghome:: Create .gnupg home directories. * gpgconf:: Modify .gnupg home directories. * applygnupgdefaults:: Run gpgconf for all users. -* gpgsm-gencert.sh:: Generate an X.509 certificate request. * gpg-preset-passphrase:: Put a passphrase into the cache. * gpg-connect-agent:: Communicate with a running agent. * dirmngr-client:: How to use the Dirmngr client tool. @@ -1001,42 +1000,6 @@ applygnupgdefaults @c -@c GPGSM-GENCERT.SH -@c -@node gpgsm-gencert.sh -@section Generate an X.509 certificate request -@manpage gpgsm-gencert.sh.1 -@ifset manverb -.B gpgsm-gencert.sh -\- Generate an X.509 certificate request -@end ifset - -@mansect synopsis -@ifset manverb -.B gpgsm-gencert.sh -@end ifset - -@mansect description -This is a simple tool to interactively generate a certificate request -which will be printed to stdout. - -@manpause -@noindent -@command{gpgsm-gencert.sh} is invoked as: - -@samp{gpgsm-cencert.sh} - -@mansect see also -@ifset isman -@command{gpgsm}(1), -@command{gpg-agent}(1), -@command{scdaemon}(1) -@end ifset -@include see-also-note.texi - - - -@c @c GPG-PRESET-PASSPHRASE @c @node gpg-preset-passphrase diff --git a/tools/Makefile.am b/tools/Makefile.am index 5c28954f3..496b1a6f4 100644 --- a/tools/Makefile.am +++ b/tools/Makefile.am @@ -18,7 +18,7 @@ EXTRA_DIST = \ Manifest watchgnupg.c \ - addgnupghome applygnupgdefaults gpgsm-gencert.sh \ + addgnupghome applygnupgdefaults \ lspgpot mail-signed-keys convert-from-106 sockprox.c \ ccidmon.c ChangeLog-2011 gpg-connect-agent-w32info.rc @@ -34,7 +34,6 @@ AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(LIBASSUAN_CFLAGS) sbin_SCRIPTS = addgnupghome applygnupgdefaults -bin_SCRIPTS = gpgsm-gencert.sh if HAVE_USTAR # bin_SCRIPTS += gpg-zip noinst_SCRIPTS = gpg-zip diff --git a/tools/gpgsm-gencert.sh b/tools/gpgsm-gencert.sh deleted file mode 100755 index b209c8e5a..000000000 --- a/tools/gpgsm-gencert.sh +++ /dev/null @@ -1,203 +0,0 @@ -#!/bin/sh -# -*- sh -*- -# gpgsm-gencert.c - Generate X.509 certificates through GPGSM. -# Copyright (C) 2004, 2005 Free Software Foundation, Inc. -# -# This file is part of GnuPG. -# -# GnuPG is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or -# (at your option) any later version. -# -# GnuPG is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, see <http://www.gnu.org/licenses/>. - -set -e - -ASSUAN_FP_IN=4 -ASSUAN_FP_OUT=5 - -ASSUAN_COMMANDS="\ -INPUT FD=$ASSUAN_FP_IN\n\ -OUTPUT FD=$ASSUAN_FP_OUT --armor\n\ -GENKEY\n\ -BYE\n" - -ANSWER="" - -query_user() -{ - message=$1; shift - - echo "$message" >&2 - echo -n "> " >&2 - read answer - - ANSWER=$answer; -} - -query_user_menu() -{ - message=$1; shift - i=0 - - echo "$message" >&2 - for choice in "$@"; do - i=$(expr $i + 1) - echo " [$i] $choice" >&2 - done - - while true; do - j=1 - echo -n "Your selection: " >&2 - read idx - - while [ $j -lt $i -o $j -eq $i ]; do - if [ "$idx" = $j ]; then - break - fi - j=$(expr $j + 1) - done - if [ $j -lt $i -o $j -eq $i ]; then - break - fi - done - - i=0 - for choice in "$@"; do - i=$(expr $i + 1) - if [ $i -eq $idx ]; then - ANSWER=$1 - break; - fi - shift - done - - echo "You selected: $ANSWER" >&2 -} - - -echo "WARNING: This script is deprecated; please use" >&2 -echo " gpgsm --gen-key" >&2 -echo " instead." >&2 -KEY_TYPE="" -while [ -z "$KEY_TYPE" ]; do - query_user_menu "Key type" "RSA" "Existing key" "Direct from card" - case "$ANSWER" in - RSA) - KEY_TYPE=$ANSWER - query_user_menu "Key length" "1024" "2048" - KEY_LENGTH=$ANSWER - KEY_GRIP= - ;; - Existing*) - # User requested to use an existing key; need to set some dummy defaults - query_user "Keygrip " - if [ -n "$ANSWER" ]; then - KEY_TYPE=RSA - KEY_LENGTH=1024 - KEY_GRIP=$ANSWER - fi - ;; - Direct*) - tmp=$(echo 'SCD SERIALNO' | gpg-connect-agent | \ - awk '$2 == "SERIALNO" {print $3}') - if [ -z "$tmp" ]; then - echo "No card found" >&2 - else - echo "Card with S/N $tmp found" >&2 - tmp=$(echo 'SCD LEARN --force' | gpg-connect-agent | \ - awk '$2 == "KEYPAIRINFO" {printf " %s", $4}') - sshid=$(echo 'SCD GETATTR $AUTHKEYID' | gpg-connect-agent | \ - awk '$2 == "$AUTHKEYID" {print $3}') - [ -n "$sshid" ] && echo "gpg-agent uses $sshid as ssh key" >&2 - query_user_menu "Select key " $tmp "back" - if [ "$ANSWER" != "back" ]; then - KEY_TYPE="card:$ANSWER" - KEY_LENGTH= - KEY_GRIP= - fi - fi - ;; - *) - exit 1 - ;; - esac -done - -query_user_menu "Key usage" "sign, encrypt" "sign" "encrypt" -KEY_USAGE=$ANSWER - -query_user "Name (DN)" -NAME=$ANSWER - -EMAIL_ADDRESSES= -LF= -while : ; do - query_user "E-Mail addresses (end with an empty line)" - [ -z "$ANSWER" ] && break - EMAIL_ADDRESSES="${EMAIL_ADDRESSES}${LF}Name-Email: $ANSWER" - LF=' -' -done - -DNS_ADDRESSES= -LF= -while : ; do - query_user "DNS Names (optional; end with an empty line)" - [ -z "$ANSWER" ] && break - DNS_ADDRESSES="${DNS_ADDRESSES}${LF}Name-DNS: $ANSWER" - LF=' -' -done - -URI_ADDRESSES= -LF= -while : ; do - query_user "URIs (optional; end with an empty line)" - [ -z "$ANSWER" ] && break - URI_ADDRESSES="${URI_ADDRESSES}${LF}Name-URI: $ANSWER" - LF=' -' -done - -file_parameter=$(mktemp "/tmp/gpgsm.XXXXXX") -outfile=$(mktemp "/tmp/gpgsm.XXXXXX") - - -( -cat <<EOF -Key-Type: $KEY_TYPE -Key-Length: $KEY_LENGTH -Key-Usage: $KEY_USAGE -Name-DN: $NAME -EOF -[ -n "$KEY_GRIP" ] && echo "Key-Grip: $KEY_GRIP" -[ -n "$EMAIL_ADDRESSES" ] && echo "$EMAIL_ADDRESSES" -[ -n "$DNS_ADDRESSES" ] && echo "$DNS_ADDRESSES" -[ -n "$URI_ADDRESSES" ] && echo "$URI_ADDRESSES" -) > "$file_parameter" - - -echo 'Parameters for certificate request to create:' >&2 -cat -n "$file_parameter" >&2 -echo >&2 - -query_user_menu "Really create such a CSR?" "yes" "no" -[ "$ANSWER" != "yes" ] && exit 1 - - -printf "$ASSUAN_COMMANDS" | \ - gpgsm --no-log-file --debug-level none --debug-none \ - --server 4< "$file_parameter" 5>"$outfile" >/dev/null - -cat "$outfile" - -rm "$file_parameter" "$outfile" -exit 0 |