CAcert SSL certificates in KMail KDE 4

In preparation of the sixth “Brandenburger Linux-Infotag” I passed the CAcert Assurer Challange, which was the last requirement I had to fulfil to be allowed to verify people.

To start the “challenge” it is necessary to login with your own SSL certificate from CAcert. I only used gpg the last years, so I had have to create a new one and configure KDE to use it.

That’s unfortunately not easy.

Because I didn’t managed (yet) to get my private certificate working in konqueror I used Firefox to run the test. Import to Firefox works without any problems.

It is also possible to use the certificate for signing emails. I really like KMail and i didn’t want to switch over to Thunderbird.

So I tried to get the certificate properly configured once more.

After all you only have to add two lines in the right place.

First of all you have to import your certificate from CAcert. You can login to your CAcert-Page with Konqueror and navigate to your certificate. A click on the link there should automatically start the KDE certificate manager Kleopatra. You should get a notice that your certificate was successfully imported.

Remember: Imported is not the same as working/usable. :wink:

Add disable-trusted-cert-crl-check to the end of the file ~/.gnupg/gpgsm.conf and allow-mark-trusted to the (new) file gpg-agent.conf.

Now you need to restart your PC. After login you will be asked if you want to trust your single installed root certificates. Pay attention on and answer with yes.

Maybe it is sufficient to close the KDE Certificates Manager Kleopatra and stop the service gpg-agent with an “killall gpg-agent” and restart Kleopatra.

After that it should be possible to add your certificates in your KMail Profile.

If it is also working for you, give me a sign. Maybe we want to add this how-to to the kde or cacert wiki.

Update from Reinhard (german), Jan 2012:

Diese letzte Zeile ist leider etwas irreführend. Ich hatte bereits eine Datei trustlist.txt angelegt, die Datei gpg-agent.conf editiert und es ging dennoch nicht. Vielleicht lag es daran, dass ich die Anweisung “allow-mark-trusted” an den Anfang geschrieben habe; ich habe es jetz zusätzlich an das Ende gestellt. Vielleicht lag es auch daran, dass ich gpgsm.conf bisher nicht um “disable- trusted-cert-crl-check” erweitert hatte. Das herauszufinden habe ich keine Lust mehr. Jedenfalls nach diesen Änderungen, Shutdown von kleopatra, Kmail und einem SIGHUP an den laufenden gpg-agent und anschliessenden Neustart von Kmail funktionierte es einwandfrei.