💾 Archived View for jsreed5.org › misc › moving-gemini-client-certificates.gmi captured on 2023-09-08 at 16:14:49. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-04-19)
-=-=-=-=-=-=-
---
I use Deedum to browse Gemini on Android and Kristall to browse Gemini on PC. On my PlanetComputers Gemini PDA (which runs Debian) I use Lagrange, as the build tools for Kristall are unavailable in PlanetComputer's repos. I have a client certificate I wanted to use on all my Gemini clients, but the cert export formats between Kristall and Deedum are incompatible with each other. I'm writing this post to explain how I worked around this limitation.
I used Fedora Linux to work with certs. I assume these steps will work with any system that has `openssl` on it, but I haven't tried it anywhere else. I'm also writing this guide in reference to Kristall v0.4 and Deedum 2022.0406.0502.
---
I originally made my client cert in Kristall and wanted to import it to Deedum. This is how I did it.
First, you need to a client cert in Kristall. This is done by opening the "File" menu and selecting "Manage Certificates...". The "Create..." button guides you through the creation process, after which you have a usable certificate in Kristall--I'll refer to this cert as "test".
After the cert is created, selecting it enables the "Export..." button at the bottom of the certificate manager window. You will be asked to specify a key file to which to save the cert private key, and a certificate file to which to save the cert itself. I usually name these files after the identity of the cert, in this case "test.pem" for the private key and "test.der" for the cert file.
Both of these files need to be converted before they can be imported into Deedum. The cert file is exported in DER (binary) format, but Deedum requires PEM (text) format. Also, the private key is written in PKCS1 format, but Deedum requires PKCS8 format.
Assuming the file names I used above, the following command converts the cert file:
openssl x509 -in test.der -out test-cert.pem
Change the file specified by the `-in` parameter to match the name of the cert file you exported, and the output name can be anything you like, as long as the extension is ".pem".
The following command converts the private key:
openssl pkcs8 -topk8 -nocrypt -in test.pem -out test-cert-key.pem
As before, change the file specified by the `-in` parameter to match the name of the key file you exported, and the output name can be anything you like, as long as the extension is ".pem".
Once the conversions are done, you can add the identity to Deedum. In the app, tap on the tab square to the right of the address bar: this will open up Deedum's configuration screen. Tap the small person to go to the "Identities" tab, then tap "Add new identity". Enter a name for the identity (it does not have to match what's in the certificate). Then copy the contents of "test-cert.pem" into the "Certificate" text field, and copy the contents of "test-cert-key.pem" into the "Private Key" text field. Tap "Submit", and the identity will be saved to Deedum.
The certificate and keys are saved without passwords. If you are asked for a password when opening the PEM files as text files, simply enter a blank password.
---
gordonguthrie asked on Station how to export a certificate from Deedum^. Here's how I import a cert from Deedum to Kristall.
Start by creating a certificate in Deedum. In the app, tap on the tab square to the right of the address bar: this will open up Deedum's configuration screen. Tap the small person to go to the "Identities" tab, then tap "Add new identity". Enter a name for the identity (this will be used as the name in the certificate), then tap "Submit". Deedum will create a new certificate. A card with the identity name in it will appear in the "Identities" tab. For purposes of this guide, I'll call the cert "test2".
The identity card has two buttons on the right side: a bin (for deleting the cert) and a down arrow (for exporting the cert). Tap the down arrow, and a window will appear showing the contents of the cert and key PEM files. You will need to create two empty files on your device and, using the "Copy cert" and "copy private key" buttons, copy the PEM text into the two files. I'll call the cert file "test2-cert.pem" and the key file "test2-cert-key.pem". They both need to have the file extension ".pem".
Both of these files will need to be converted before Kristall can import them. Copy the PEM files to a machine with a terminal, or they can stay on your Android device if you have something like Termux installed.
Assuming the file names I used above, the following command converts the cert file:
openssl x509 -in test2-cert.pem -out test2.der
Change the file specified by the `-in` parameter to match the name of the cert file you saved, and the output name can be anything you like, as long as the extension is ".der".
The following command converts the private key:
openssl rsa -in test2-cert-key.pem -out test2.pem
Change the file specified by the `-in` parameter to match the name of the key file you saved, and the output name can be anything you like, as long as the extension stays as ".pem".
These converted files can now be imported into Kristall. In the "File" menu, select the "Manage Certificates..." option. Select "Import...", then specify "test2.pem" for the key file and "test2.der" for the certificate file. Select "OK", and the cert will now be imported into Kristall.
---
I've also imported my client certificate into Lagrange, but I don't remember how I did it, and my PDA isn't in a state where I can check at the moment. I will probably write a follow-up for Lagrange soon.
[This post was originally written on 2023-01-05.]
---
[Last updated: 2023-02-13]