HOME Simultaneous encryption and signature Top 20 System-wide configuration and pre-population for
S/MIME19 Importing and exporting a private certificate Contents German

19 Importing and exporting a private certificate

Chapters 8 and 10 explained the import and export of certificates. You exported your own certificate in order to publish it, and you have imported the certificate of your correspondence partner and thus attached it to your "key ring" (i.e. accepted it into your certificate administration).

This process always referred to public keys. However, sometimes it is also necessary to import or export a private key. For example, if you wish to continue to use an already existing (OpenPGP or S/MIME) key pair with Gpg4win, you have to import it. Or, if you want to use Gpg4win from another computer, the entire key pair has to be transferred to that computer - the public and private key.

19.1 Export

You must make up a backup copy using Kleopatra anytime you transfer a private certificate to another computer or want to save it to another hard drive partition or backup medium.

You may have already set up such a backup copy at the end of your OpenPGP certificate creation process. Since your OpenPGP certificate may have received additional authentications in the meantinme, you should back it up again if applicable.

Open Kleopatra, select your own certificate click on File -> Export private certificate.

Select the path and the file name of the output file. The file type is set automatically. Depending on whether you want to export a private OpenPGP or S/MIME key, the file ending .gpg (OpenPGP) or .p12 (S/MIME)will be selected by default. These are binary files which contain your encrypted certificate (including the private key).

When you activate the option ASCII-protected (ASCII armor), the file ending .asc (OpenPGP) or .pem (S/MIME) will be selected. These file types can be opened with any text editor - but you will only see the "mess" of numbers and characters that we have already seen before.

If this option is not selected, an encrypted file with the ending .gpg (OpenPGP) or .p12 (S/MIME) will be created. These files are binary files, so they cannot be viewed with a text editor.

Kleopatra stores both key parts - private and public - in one private certificate.

Attention: Please handle this file very carefully. It contains your private key and therefore information that is critical to security!

19.2 Import

To import your previously exported private certificate into Kleopatra, proceed as you would for importing other public certificates (see Chapter 10):

Click on File -> Import certificate... and select the file to be imported. If it concerns a PKCS12 file (e.g. type .p12), the system will first ask you for a passphrase to unlock the private key:

Now enter the prassphrase - which could also be a new one - that is used to protect your private key after the import is complete:

Repeat the passphrase entry. If your passphrase is too short or consist only of letters, the system will give you a corresponding warning.

Following a successful import, an information window displaying the results of the import process will appear; here is an example of a private OpenPGP certificate:

Kleopatra has imported both the private as well as the public key from the backup file. Your certificate can be found in "My certificates" in Kleoatra's certificate administration.

Please also save the backup copy of your private certificate - if possible on a physically secured (e.g. in a vault) external medium. Then delete it from your hard drive and also remember to remove the deleted file from your "recycling bin". Otherwise this file poses a great security risk for your secret e-mail encryption.
There may be cases when you are not able to import a certificate exported with PGP ("Pretty Good Privacy"). This is because some PGP versions use an algorithm (IDEA) which cannot be supported by GnuPG for legal reasons.

To take care of this problem, simply change the passphrase in PGP and export/import the OpenPGP certificate again. If this also does not work, set the passphrase in PGP to "empty", that is, no protection, and export/import again - in this case you must ensure that you have securely deleted the file and then set up a new real passphrase in PGP and Gpg4win.

Congratulations! You have successfully exported and reimported your key pair.

© 31. August 2010, v3.0.0-beta1 (last minor changes from 21. September 2010)
The Gpg4win Compendium is filed under the GNU Free Documentation License v1.2.

HOME Simultaneous encryption and signature Top 20 System-wide configuration and pre-population for
S/MIME19 Importing and exporting a private certificate Contents German