Translations of this page:

User Tools

Site Tools


en:tp:certificates:files

Files

You can use an X.509 certificate to sign and encrypt files, among other things.

Certificate Management Software

First of all, you have to install a suitable certificate management software on your PC. Here, for example, software with the name “Kleopatra” offers itself. Kleopatra is free (in the sense of freedom), open-source and at the same time free software.

  • Under Windows, Kleopatra is part of the so-called “Gpg4win” package, which is “… suitable for encrypting and signing e-mails, files and folders under Windows”. Download the Gpg4win package here. If you like, you are welcome to donate to Gpg4win, but you can also start the download by selecting “0 €”. Install Gpg4win on your PC. You can accept all default values during installation.
  • Under Linux, use the integrated software management to install the “kleopatra” package.

Setup of the software for X.509 certificates

Certification Chains

First of all, you have to import the 2 complete, issuing certification chains of the DFN-PKI for the Jade University in Kleopatra. You can find the required files within the university in the PC network system and outside the university via the WebFiler at

  • JADE-HS - data (X :) / HRZ support / certificate services

To do this, import the following files under the Kleopatra menu item “File / Import” in this order:

  • In the subfolder DFN-Global-G1:
    • Deutsche_Telekom_Root_CA_2-19990709.der
    • DFN-Verein_PCA_Global_-_G01-20140722.der
    • HS-WOE_CA_-_G01-20140605.der
  • In the subfolder DFN-Global-G2:
    • T-Telesec_GlobalRoot_Class_2-20081001.der
    • DFN-Verein_Certification_Authority_2-20160222.der
    • DFN-Verein_Global Issuing_CA-20160524.der

In the end, close all tabs with the name “Imported Certificates”. Just leave the “All certificates” card open.

Certificate Revocation List (CRL)

Certificate revocation lists are not currently supported, so you have to turn off the check:

  • In the Kleopatra menu item “Settings / Set up Cleopatra …” select the “S / MIME test” group.
  • Click here on the checkbox “Never consult blacklists” and then on the button “OK”

User Certificate

In the further process, you have to import your X.509 certificate using the certificate file created under user certificates (section Backup):

To do this, import the certificate file created under user certificates (section Backup) under the Kleopatra menu item “File / Import”. In the course of the import dialogue, you will be asked to enter a passphrase in the “pinentry” window. This is the password that you also entered when you created the user certificate under backup (you may have to enter this password two more times).

Public user certificates

If you want to encrypt files for other people, you must have the recipient's public user certificates required for encryption and also import them into Kleopatra.

After setup, the main window of Kleopatra should look something like this:

Sign / encrypt files

Now you can sign and/or encrypt files in Kleopatra:

  • To do this, click on the Kleopatra menu item “File / Sign / Encrypt …” and select the file to be signed/encrypted.
    • Ensure authenticity (sign)
      • Select the “Sign as” checkbox.
      • Click on the “Sign” button.
      • You will be asked to enter a passphrase in the “pinentry” window, enter your certificate password here.
      • In addition to the file to be signed, another file with the same name is created, supplemented by the addition
        • .p7m at X.509 (the encrypted file in PKCS#7 format)
      • You must keep the original and signature files in the same folder.
    • Encrypt:
      • Select the “Encrypt for me” checkbox if you want to encrypt for yourself.
      • Select the “Encrypt for others” checkbox if you want to encrypt for others. To do this, you have to import the other person's public certificate as described above and then select it here.
      • Click the “Encrypt” button.
      • In addition to the file to be encrypted, another file with the same name is created, supplemented by the addition
        • .p7m at X.509 (the encrypted file in PKCS#7 format)

Check / decrypt files

Now you can check and/or decrypt files for a valid signature in Kleopatra:

  • To do this, click on the Kleopatra menu item “File / Decrypt / Check …”.
    • Check
      • Select the signature file (with the extension .p7s).
    • Decrypt:
      • Select the encrypted file (with the extension .p7m).
  • A message window opens that shows the status of the signature/encryption.