security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00
Code Activity

drop long-deprecated gpgsm-gencert.sh

Browse Source 
* tools/gpgsm-gencert.sh: remove deprecated script entirely.  It is
   fully replaced by gpgsm --gen-key
 * doc/tools.texi: remove gpgsm-gencert.sh documentation
 * .gitignore: no longer ignore gpgsm-gencert.sh manpage
 * doc/Makefile.am: quit making the manpage
 * tools/Makefile.am: quit distributing the script
 * doc/howto-create-a-server-cert.texi: overhaul documentation to use
   gpgsm --gen-key and tweak explanations

--

The commit deprecating gpgsm-gencert.sh
(81972ca7d53ff1996e0086702a09d4405bdc2a7e) dates back exactly 6 years.

 https://codesearch.debian.net/results/gpgsm-gencert.sh

suggests that in all of debian it is only referenced in documentation
(for poldi and scute) and example files (libept), and isn't actually
used directly anywhere.

Furthermore, trying to use gpgsm-gencert.sh to make a simple webserver
certificate-signing request failed for me, following the examples in
doc/howto-create-a-server-cert.texi exactly.

It's time we ripped off this band-aid :)

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
This commit is contained in:
Daniel Kahn Gillmor 2015-07-02 15:10:49 -04:00 committed by Neal H. Walfield
parent 3502b3cc0f
commit 1be2cebf7f
7 changed files with 85 additions and 339 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -67,7 +67,6 @@ doc/gpg-zip.1
doc/gpg2.1
doc/gpgconf.1
doc/gpgparsemail.1
doc/gpgsm-gencert.sh.1
doc/gpgsm.1
doc/gpgv2.1
doc/scdaemon.1

1
NEWS
View File

@ -1,6 +1,7 @@
Noteworthy changes in version 2.1.7 (unreleased)
------------------------------------------------
* dropped deprecated gpgsm-gencert.sh
Noteworthy changes in version 2.1.6 (2015-07-01)
------------------------------------------------

2
doc/Makefile.am
View File

@ -71,7 +71,7 @@ myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \
myman_pages = gpg2.1 gpgsm.1 gpg-agent.1 dirmngr.8 scdaemon.1 gpgv2.1 \
watchgnupg.1 gpgconf.1 addgnupghome.8 gpg-preset-passphrase.1 \
gpg-connect-agent.1 gpgparsemail.1 symcryptrun.1 \
gpgsm-gencert.sh.1 applygnupgdefaults.8 gpg-zip.1 \
applygnupgdefaults.8 gpg-zip.1 \
dirmngr-client.1
man_MANS = $(myman_pages) gnupg.7

177
doc/howto-create-a-server-cert.texi
View File

@ -7,18 +7,17 @@ actually been done this way to get a certificate from CAcert to be used
on a real server. It has only been tested with this CA, but there
shouldn't be any problem to run this against any other CA.
Before you start, make sure that gpg-agent is running. As there is no
need for a configuration file, you may simply enter:
We start by generating an X.509 certificate signing request. As there
is no need for a configuration file, you may simply enter:
@cartouche
@example
$ gpgsm-gencert.sh >a.p10
Key type
[1] RSA
[2] Existing key
[3] Direct from card
Your selection: 1
You selected: RSA
$ gpgsm --gen-key >example.com.cert-req.pem
Please select what kind of key you want:
(1) RSA
(2) Existing key
(3) Existing key from card
Your selection? 1
@end example
@end cartouche
@ -32,39 +31,36 @@ Let's continue:
@cartouche
@example
Key length
[1] 1024
[2] 2048
Your selection: 1
You selected: 1024
What keysize do you want? (2048)
Requested keysize is 2048 bits
@end example
@end cartouche
The script offers two common key sizes. With the current setup of
CAcert, it does not make much sense to use a 2k key; their policies need
to be revised anyway (a CA root key valid for 30 years is not really
serious).
Hitting enter chooses the default RSA key size of 2048 bits. Smaller
keys are too weak on the modern Internet. If you choose a larger
(stronger) key, your server will need to do more work.
@cartouche
@example
Key usage
[1] sign, encrypt
[2] sign
[3] encrypt
Your selection: 1
You selected: sign, encrypt
Possible actions for a RSA key:
(1) sign, encrypt
(2) sign
(3) encrypt
Your selection? 1
@end example
@end cartouche
We want to sign and encrypt using this key. This is just a suggestion
and the CA may actually assign other key capabilities.
Selecting ``sign'' enables use of the key for Diffie-Hellman key
exchange mechanisms (DHE and ECDHE) in TLS, which are preferred
because they offer forward secrecy. Selecting ``encrypt'' enables RSA
key exchange mechanisms, which are still common in some places.
Selecting both enables both key exchange mechanisms.
Now for some real data:
@cartouche
@example
Name (DN)
> CN=kerckhoffs.g10code.com
Enter the X.509 subject name: CN=example.com
@end example
@end cartouche
@ -74,13 +70,13 @@ server names later.
@cartouche
@example
E-Mail addresses (end with an empty line)
E-Mail addresses (end with an empty line):
>
@end example
@end cartouche
We don't need email addresses in a server certificate and CAcert would
anyway ignore such a request. Thus just hit enter.
We don't need email addresses in a TLS server certificate and CAcert
would anyway ignore such a request. Thus just hit enter.
If you want to create a client certificate for email encryption, this
would be the place to enter your mail address
@ -89,22 +85,21 @@ however the CA may not accept them all or reject the entire request.
@cartouche
@example
DNS Names (optional; end with an empty line)
> www.g10code.com
DNS Names (optional; end with an empty line)
> ftp.g10code.com
DNS Names (optional; end with an empty line)
Enter DNS names (optional; end with an empty line):
> example.com
> www.example.com
>
@end example
@end cartouche
Here I entered the names of the servers which actually run on the
machine given in the DN above. The browser will accept a certificate for
any of these names. As usual the CA must approve all of these names.
Here I entered the names of the services which the machine actually
provides. You almost always want to include the canonical name here
too. The browser will accept a certificate for any of these names. As
usual the CA must approve all of these names.
@cartouche
@example
URIs (optional; end with an empty line)
URIs (optional; end with an empty line):
>
@end example
@end cartouche
@ -112,25 +107,30 @@ any of these names. As usual the CA must approve all of these names.
It is possible to insert arbitrary URIs into a certificate; for a server
certificate this does not make sense.
@cartouche
@example
Create self-signed certificate? (y/N)
@end example
@end cartouche
Since we are creating a certificate signing request, and not a full
certificate, we answer no here, or just hit enter for the default.
We have now entered all required information and @command{gpgsm} will
display what it has gathered and ask whether to create the certificate
request:
@cartouche
@example
Parameters for certificate request to create:
1 Key-Type: RSA
2 Key-Length: 1024
3 Key-Usage: sign, encrypt
4 Name-DN: CN=kerckhoffs.g10code.com
5 Name-DNS: www.g10code.com
6 Name-DNS: ftp.g10code.com
Really create such a CSR?
[1] yes
[2] no
Your selection: 1
You selected: yes
These parameters are used:
Key-Type: RSA
Key-Length: 2048
Key-Usage: sign, encrypt
Name-DN: CN=example.com
Name-DNS: example.com
Name-DNS: www.example.com
Proceed with creation? (y/N) y
@end example
@end cartouche
@ -146,6 +146,7 @@ When it is ready, you should see the final notice:
@cartouche
@example
gpgsm: certificate request created
Ready. You should now send this request to your CA.
@end example
@end cartouche
@ -153,17 +154,22 @@ Now, you may look at the created request:
@cartouche
@example
$ cat a.p10
$ cat example.com.cert-req.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIBnzCCAQgCAQAwITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVyg
HtB7kr+YISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlS
wFTALLX78GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkm
Bj5cNy+YMbGVldECAwEAAaA+MDwGCSqGSIb3DQEJDjEvMC0wKwYDVR0RBCQwIoIP
d3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5jb20wDQYJKoZIhvcNAQEFBQAD
gYEAzBRIi8KTfKyebOlMtDN6oDYBOv+r9A4w3u/Z1ikjffaiN1Bmd2o9Ez9KXKHA
IezLeSEA/rGUPN5Ur5qIJnRNQ8xrS+iLftr8msWQSZppVnA/vnqMrtqBUpitqAr0
eYBmt1Uem2Y3UFABrKPglv2xzgGkrKX6AqmFoOnJWQ0QcTw=
MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW
h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC
Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW
GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm
DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n
xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq
hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs
ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN
b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ
hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D
bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk
VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3
k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU=
-----END CERTIFICATE REQUEST-----
$
@end example
@ -189,26 +195,7 @@ followed by a Ctrl-D
@example
-----BEGIN CERTIFICATE-----
MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
cnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQD
ExNDQWNlcnQgQ2xhc3MgMyBSb290MB4XDTA1MTAyODE2MjA1MVoXDTA3MTAyODE2
MjA1MVowITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVygHtB7kr+Y
ISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlSwFTALLX7
8GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkmBj5cNy+Y
MbGVldECAwEAAaOBtTCBsjAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUF
BwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIF
oDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy
dC5vcmcwKwYDVR0RBCQwIoIPd3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5j
b20wDQYJKoZIhvcNAQEEBQADggIBAAj5XAHCtzQR8PV6PkQBgZqUCbcfxGO/ZIp9
aIT6J2z0Jo1OZI6KmConbqnZG9WyDlV5P7msQXW/Z9nBfoj4KSmNR8G/wtb8ClJn
W8s75+K3ZLq1UgEyxBDrS7GjtbVaj7gsfZsuiQzxmk9lbl1gbkpJ3VEMjwVCTMlM
fpjp8etyPhUZqOZaoKVaq//KTOsjhPMwz7TcfOkHvXketPrWTcefJQU7NKLH16D3
mZAwnBxp3P51H6E6VG8AoJO8xCBuVwsbXKEf/FW+tmKG9pog6CaZQ9WibROTtnKj
NJjSBsrUk5C+JowO/EyZRGm6R1tlok8iFXj+2aimyeBqDcxozNmFgh9F3S5u0wK0
6cfYgkPVMHxgwV3f3Qh+tJkgLExN7KfO9hvpZqAh+CLQtxVmvpxEVEXKR6nwBI5U
BaseulvVy3wUfg2daPkG17kDDBzQlsWC0BRF8anH+FWSrvseC3nS0a9g3sXF1Ic3
gIqeAMhkant1Ac3RR6YCWtJKr2rcQNdDAxXK35/gUSQNCi9dclEzoOgjziuA1Mha
94jYcvGKcwThn0iITVS5hOsCfaySBLxTzfIruLbPxXlpWuCW/6I/7YyivppKgEZU
[...]
rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
Rtct3tIX
-----END CERTIFICATE-----
@ -229,19 +216,19 @@ To see the content of your certificate, you may now enter:
@cartouche
@example
$ gpgsm -K kerckhoffs.g10code.com
$ gpgsm -K example.com
/home/foo/.gnupg/pubring.kbx
---------------------------
Serial number: 4C
Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
Subject: /CN=kerckhoffs.g10code.com
aka: (dns-name www.g10code.com)
aka: (dns-name ftp.g10code.com)
validity: 2005-10-28 16:20:51 through 2007-10-28 16:20:51
key type: 1024 bit RSA
Subject: /CN=example.com
aka: (dns-name example.com)
aka: (dns-name www.example.com)
validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
key type: 2048 bit RSA
key usage: digitalSignature keyEncipherment
ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:19:D8:E9:65:B9:BD:4F:B1:98:CC:57
fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
@end example
@end cartouche
@ -256,7 +243,7 @@ certificate. To create such a file, run:
@cartouche
@example
$ gpgsm --export-secret-key-p12 -a >kerckhoffs-cert.pem
$ gpgsm --export-secret-key-p12 -a >example.com-cert.pem
@end example
@end cartouche
@ -266,12 +253,12 @@ certificate as well as the private key:
@cartouche
@example
$ cat kerckhoffs-cert.pem
$ cat example-cert.pem
Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
Serial ...: 4C
Subject ..: /CN=kerckhoffs.g10code.com
aka ..: (dns-name www.g10code.com)
aka ..: (dns-name ftp.g10code.com)
Subject ..: /CN=example.com
aka ..: (dns-name example.com)
aka ..: (dns-name www.example.com)
-----BEGIN PKCS12-----
MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu

37
doc/tools.texi
View File

@ -15,7 +15,6 @@ GnuPG comes with a couple of smaller tools:
* addgnupghome:: Create .gnupg home directories.
* gpgconf:: Modify .gnupg home directories.
* applygnupgdefaults:: Run gpgconf for all users.
* gpgsm-gencert.sh:: Generate an X.509 certificate request.
* gpg-preset-passphrase:: Put a passphrase into the cache.
* gpg-connect-agent:: Communicate with a running agent.
* dirmngr-client:: How to use the Dirmngr client tool.
@ -1000,42 +999,6 @@ applygnupgdefaults
@end example
@c
@c GPGSM-GENCERT.SH
@c
@node gpgsm-gencert.sh
@section Generate an X.509 certificate request
@manpage gpgsm-gencert.sh.1
@ifset manverb
.B gpgsm-gencert.sh
\- Generate an X.509 certificate request
@end ifset
@mansect synopsis
@ifset manverb
.B gpgsm-gencert.sh
@end ifset
@mansect description
This is a simple tool to interactively generate a certificate request
which will be printed to stdout.
@manpause
@noindent
@command{gpgsm-gencert.sh} is invoked as:
@samp{gpgsm-cencert.sh}
@mansect see also
@ifset isman
@command{gpgsm}(1),
@command{gpg-agent}(1),
@command{scdaemon}(1)
@end ifset
@include see-also-note.texi
@c
@c GPG-PRESET-PASSPHRASE
@c

3
tools/Makefile.am
View File

@ -18,7 +18,7 @@
EXTRA_DIST = \
Manifest watchgnupg.c \
addgnupghome applygnupgdefaults gpgsm-gencert.sh \
addgnupghome applygnupgdefaults \
lspgpot mail-signed-keys convert-from-106 sockprox.c \
ccidmon.c ChangeLog-2011 gpg-connect-agent-w32info.rc
@ -34,7 +34,6 @@ AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(LIBASSUAN_CFLAGS)
sbin_SCRIPTS = addgnupghome applygnupgdefaults
bin_SCRIPTS = gpgsm-gencert.sh
if HAVE_USTAR
# bin_SCRIPTS += gpg-zip
noinst_SCRIPTS = gpg-zip

203
tools/gpgsm-gencert.sh
View File

@ -1,203 +0,0 @@
#!/bin/sh
# -*- sh -*-
# gpgsm-gencert.c - Generate X.509 certificates through GPGSM.
# Copyright (C) 2004, 2005 Free Software Foundation, Inc.
#
# This file is part of GnuPG.
#
# GnuPG is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# GnuPG is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see <http://www.gnu.org/licenses/>.
set -e
ASSUAN_FP_IN=4
ASSUAN_FP_OUT=5
ASSUAN_COMMANDS="\
INPUT FD=$ASSUAN_FP_IN\n\
OUTPUT FD=$ASSUAN_FP_OUT --armor\n\
GENKEY\n\
BYE\n"
ANSWER=""
query_user()
{
message=$1; shift
echo "$message" >&2
echo -n "> " >&2
read answer
ANSWER=$answer;
}
query_user_menu()
{
message=$1; shift
i=0
echo "$message" >&2
for choice in "$@"; do
i=$(expr $i + 1)
echo " [$i] $choice" >&2
done
while true; do
j=1
echo -n "Your selection: " >&2
read idx
while [ $j -lt $i -o $j -eq $i ]; do
if [ "$idx" = $j ]; then
break
fi
j=$(expr $j + 1)
done
if [ $j -lt $i -o $j -eq $i ]; then
break
fi
done
i=0
for choice in "$@"; do
i=$(expr $i + 1)
if [ $i -eq $idx ]; then
ANSWER=$1
break;
fi
shift
done
echo "You selected: $ANSWER" >&2
}
echo "WARNING: This script is deprecated; please use" >&2
echo " gpgsm --gen-key" >&2
echo " instead." >&2
KEY_TYPE=""
while [ -z "$KEY_TYPE" ]; do
query_user_menu "Key type" "RSA" "Existing key" "Direct from card"
case "$ANSWER" in
RSA)
KEY_TYPE=$ANSWER
query_user_menu "Key length" "1024" "2048"
KEY_LENGTH=$ANSWER
KEY_GRIP=
;;
Existing*)
# User requested to use an existing key; need to set some dummy defaults
query_user "Keygrip "
if [ -n "$ANSWER" ]; then
KEY_TYPE=RSA
KEY_LENGTH=1024
KEY_GRIP=$ANSWER
fi
;;
Direct*)
tmp=$(echo 'SCD SERIALNO' | gpg-connect-agent | \
awk '$2 == "SERIALNO" {print $3}')
if [ -z "$tmp" ]; then
echo "No card found" >&2
else
echo "Card with S/N $tmp found" >&2
tmp=$(echo 'SCD LEARN --force' | gpg-connect-agent | \
awk '$2 == "KEYPAIRINFO" {printf " %s", $4}')
sshid=$(echo 'SCD GETATTR $AUTHKEYID' | gpg-connect-agent | \
awk '$2 == "$AUTHKEYID" {print $3}')
[ -n "$sshid" ] && echo "gpg-agent uses $sshid as ssh key" >&2
query_user_menu "Select key " $tmp "back"
if [ "$ANSWER" != "back" ]; then
KEY_TYPE="card:$ANSWER"
KEY_LENGTH=
KEY_GRIP=
fi
fi
;;
*)
exit 1
;;
esac
done
query_user_menu "Key usage" "sign, encrypt" "sign" "encrypt"
KEY_USAGE=$ANSWER
query_user "Name (DN)"
NAME=$ANSWER
EMAIL_ADDRESSES=
LF=
while : ; do
query_user "E-Mail addresses (end with an empty line)"
[ -z "$ANSWER" ] && break
EMAIL_ADDRESSES="${EMAIL_ADDRESSES}${LF}Name-Email: $ANSWER"
LF='
'
done
DNS_ADDRESSES=
LF=
while : ; do
query_user "DNS Names (optional; end with an empty line)"
[ -z "$ANSWER" ] && break
DNS_ADDRESSES="${DNS_ADDRESSES}${LF}Name-DNS: $ANSWER"
LF='
'
done
URI_ADDRESSES=
LF=
while : ; do
query_user "URIs (optional; end with an empty line)"
[ -z "$ANSWER" ] && break
URI_ADDRESSES="${URI_ADDRESSES}${LF}Name-URI: $ANSWER"
LF='
'
done
file_parameter=$(mktemp "/tmp/gpgsm.XXXXXX")
outfile=$(mktemp "/tmp/gpgsm.XXXXXX")
(
cat <<EOF
Key-Type: $KEY_TYPE
Key-Length: $KEY_LENGTH
Key-Usage: $KEY_USAGE
Name-DN: $NAME
EOF
[ -n "$KEY_GRIP" ] && echo "Key-Grip: $KEY_GRIP"
[ -n "$EMAIL_ADDRESSES" ] && echo "$EMAIL_ADDRESSES"
[ -n "$DNS_ADDRESSES" ] && echo "$DNS_ADDRESSES"
[ -n "$URI_ADDRESSES" ] && echo "$URI_ADDRESSES"
) > "$file_parameter"
echo 'Parameters for certificate request to create:' >&2
cat -n "$file_parameter" >&2
echo >&2
query_user_menu "Really create such a CSR?" "yes" "no"
[ "$ANSWER" != "yes" ] && exit 1
printf "$ASSUAN_COMMANDS" | \
gpgsm --no-log-file --debug-level none --debug-none \
--server 4< "$file_parameter" 5>"$outfile" >/dev/null
cat "$outfile"
rm "$file_parameter" "$outfile"
exit 0