diff --git a/.gitignore b/.gitignore
index a525f1485..dd3d03124 100644
--- a/.gitignore
+++ b/.gitignore
@@ -67,7 +67,6 @@ doc/gpg-zip.1
doc/gpg2.1
doc/gpgconf.1
doc/gpgparsemail.1
-doc/gpgsm-gencert.sh.1
doc/gpgsm.1
doc/gpgv2.1
doc/scdaemon.1
diff --git a/NEWS b/NEWS
index 6932b9284..476f42c05 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
Noteworthy changes in version 2.1.7 (unreleased)
------------------------------------------------
+ * dropped deprecated gpgsm-gencert.sh
Noteworthy changes in version 2.1.6 (2015-07-01)
------------------------------------------------
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 3ea19ad87..3ed3057cd 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -71,7 +71,7 @@ myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \
myman_pages = gpg2.1 gpgsm.1 gpg-agent.1 dirmngr.8 scdaemon.1 gpgv2.1 \
watchgnupg.1 gpgconf.1 addgnupghome.8 gpg-preset-passphrase.1 \
gpg-connect-agent.1 gpgparsemail.1 symcryptrun.1 \
- gpgsm-gencert.sh.1 applygnupgdefaults.8 gpg-zip.1 \
+ applygnupgdefaults.8 gpg-zip.1 \
dirmngr-client.1
man_MANS = $(myman_pages) gnupg.7
diff --git a/doc/howto-create-a-server-cert.texi b/doc/howto-create-a-server-cert.texi
index ce6dd2f47..496c9eeb3 100644
--- a/doc/howto-create-a-server-cert.texi
+++ b/doc/howto-create-a-server-cert.texi
@@ -7,18 +7,17 @@ actually been done this way to get a certificate from CAcert to be used
on a real server. It has only been tested with this CA, but there
shouldn't be any problem to run this against any other CA.
-Before you start, make sure that gpg-agent is running. As there is no
-need for a configuration file, you may simply enter:
+We start by generating an X.509 certificate signing request. As there
+is no need for a configuration file, you may simply enter:
@cartouche
@example
- $ gpgsm-gencert.sh >a.p10
- Key type
- [1] RSA
- [2] Existing key
- [3] Direct from card
- Your selection: 1
- You selected: RSA
+ $ gpgsm --gen-key >example.com.cert-req.pem
+ Please select what kind of key you want:
+ (1) RSA
+ (2) Existing key
+ (3) Existing key from card
+ Your selection? 1
@end example
@end cartouche
@@ -32,39 +31,36 @@ Let's continue:
@cartouche
@example
- Key length
- [1] 1024
- [2] 2048
- Your selection: 1
- You selected: 1024
+ What keysize do you want? (2048)
+ Requested keysize is 2048 bits
@end example
@end cartouche
-The script offers two common key sizes. With the current setup of
-CAcert, it does not make much sense to use a 2k key; their policies need
-to be revised anyway (a CA root key valid for 30 years is not really
-serious).
+Hitting enter chooses the default RSA key size of 2048 bits. Smaller
+keys are too weak on the modern Internet. If you choose a larger
+(stronger) key, your server will need to do more work.
@cartouche
@example
- Key usage
- [1] sign, encrypt
- [2] sign
- [3] encrypt
- Your selection: 1
- You selected: sign, encrypt
+ Possible actions for a RSA key:
+ (1) sign, encrypt
+ (2) sign
+ (3) encrypt
+ Your selection? 1
@end example
@end cartouche
-We want to sign and encrypt using this key. This is just a suggestion
-and the CA may actually assign other key capabilities.
+Selecting ``sign'' enables use of the key for Diffie-Hellman key
+exchange mechanisms (DHE and ECDHE) in TLS, which are preferred
+because they offer forward secrecy. Selecting ``encrypt'' enables RSA
+key exchange mechanisms, which are still common in some places.
+Selecting both enables both key exchange mechanisms.
Now for some real data:
@cartouche
@example
- Name (DN)
- > CN=kerckhoffs.g10code.com
+ Enter the X.509 subject name: CN=example.com
@end example
@end cartouche
@@ -74,13 +70,13 @@ server names later.
@cartouche
@example
- E-Mail addresses (end with an empty line)
+ E-Mail addresses (end with an empty line):
>
@end example
@end cartouche
-We don't need email addresses in a server certificate and CAcert would
-anyway ignore such a request. Thus just hit enter.
+We don't need email addresses in a TLS server certificate and CAcert
+would anyway ignore such a request. Thus just hit enter.
If you want to create a client certificate for email encryption, this
would be the place to enter your mail address
@@ -89,22 +85,21 @@ however the CA may not accept them all or reject the entire request.
@cartouche
@example
- DNS Names (optional; end with an empty line)
- > www.g10code.com
- DNS Names (optional; end with an empty line)
- > ftp.g10code.com
- DNS Names (optional; end with an empty line)
+ Enter DNS names (optional; end with an empty line):
+ > example.com
+ > www.example.com
>
@end example
@end cartouche
-Here I entered the names of the servers which actually run on the
-machine given in the DN above. The browser will accept a certificate for
-any of these names. As usual the CA must approve all of these names.
+Here I entered the names of the services which the machine actually
+provides. You almost always want to include the canonical name here
+too. The browser will accept a certificate for any of these names. As
+usual the CA must approve all of these names.
@cartouche
@example
- URIs (optional; end with an empty line)
+ URIs (optional; end with an empty line):
>
@end example
@end cartouche
@@ -112,25 +107,30 @@ any of these names. As usual the CA must approve all of these names.
It is possible to insert arbitrary URIs into a certificate; for a server
certificate this does not make sense.
+@cartouche
+@example
+ Create self-signed certificate? (y/N)
+@end example
+@end cartouche
+
+Since we are creating a certificate signing request, and not a full
+certificate, we answer no here, or just hit enter for the default.
+
We have now entered all required information and @command{gpgsm} will
display what it has gathered and ask whether to create the certificate
request:
@cartouche
@example
- Parameters for certificate request to create:
- 1 Key-Type: RSA
- 2 Key-Length: 1024
- 3 Key-Usage: sign, encrypt
- 4 Name-DN: CN=kerckhoffs.g10code.com
- 5 Name-DNS: www.g10code.com
- 6 Name-DNS: ftp.g10code.com
-
- Really create such a CSR?
- [1] yes
- [2] no
- Your selection: 1
- You selected: yes
+ These parameters are used:
+ Key-Type: RSA
+ Key-Length: 2048
+ Key-Usage: sign, encrypt
+ Name-DN: CN=example.com
+ Name-DNS: example.com
+ Name-DNS: www.example.com
+
+ Proceed with creation? (y/N) y
@end example
@end cartouche
@@ -146,6 +146,7 @@ When it is ready, you should see the final notice:
@cartouche
@example
gpgsm: certificate request created
+ Ready. You should now send this request to your CA.
@end example
@end cartouche
@@ -153,17 +154,22 @@ Now, you may look at the created request:
@cartouche
@example
- $ cat a.p10
+ $ cat example.com.cert-req.pem
-----BEGIN CERTIFICATE REQUEST-----
- MIIBnzCCAQgCAQAwITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCB
- nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVyg
- HtB7kr+YISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlS
- wFTALLX78GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkm
- Bj5cNy+YMbGVldECAwEAAaA+MDwGCSqGSIb3DQEJDjEvMC0wKwYDVR0RBCQwIoIP
- d3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5jb20wDQYJKoZIhvcNAQEFBQAD
- gYEAzBRIi8KTfKyebOlMtDN6oDYBOv+r9A4w3u/Z1ikjffaiN1Bmd2o9Ez9KXKHA
- IezLeSEA/rGUPN5Ur5qIJnRNQ8xrS+iLftr8msWQSZppVnA/vnqMrtqBUpitqAr0
- eYBmt1Uem2Y3UFABrKPglv2xzgGkrKX6AqmFoOnJWQ0QcTw=
+ MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
+ DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW
+ h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC
+ Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW
+ GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm
+ DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n
+ xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq
+ hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs
+ ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN
+ b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ
+ hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D
+ bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk
+ VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3
+ k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU=
-----END CERTIFICATE REQUEST-----
$
@end example
@@ -189,26 +195,7 @@ followed by a Ctrl-D
@example
-----BEGIN CERTIFICATE-----
MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
- cnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQD
- ExNDQWNlcnQgQ2xhc3MgMyBSb290MB4XDTA1MTAyODE2MjA1MVoXDTA3MTAyODE2
- MjA1MVowITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCBnzANBgkq
- hkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVygHtB7kr+Y
- ISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlSwFTALLX7
- 8GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkmBj5cNy+Y
- MbGVldECAwEAAaOBtTCBsjAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUF
- BwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIF
- oDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy
- dC5vcmcwKwYDVR0RBCQwIoIPd3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5j
- b20wDQYJKoZIhvcNAQEEBQADggIBAAj5XAHCtzQR8PV6PkQBgZqUCbcfxGO/ZIp9
- aIT6J2z0Jo1OZI6KmConbqnZG9WyDlV5P7msQXW/Z9nBfoj4KSmNR8G/wtb8ClJn
- W8s75+K3ZLq1UgEyxBDrS7GjtbVaj7gsfZsuiQzxmk9lbl1gbkpJ3VEMjwVCTMlM
- fpjp8etyPhUZqOZaoKVaq//KTOsjhPMwz7TcfOkHvXketPrWTcefJQU7NKLH16D3
- mZAwnBxp3P51H6E6VG8AoJO8xCBuVwsbXKEf/FW+tmKG9pog6CaZQ9WibROTtnKj
- NJjSBsrUk5C+JowO/EyZRGm6R1tlok8iFXj+2aimyeBqDcxozNmFgh9F3S5u0wK0
- 6cfYgkPVMHxgwV3f3Qh+tJkgLExN7KfO9hvpZqAh+CLQtxVmvpxEVEXKR6nwBI5U
- BaseulvVy3wUfg2daPkG17kDDBzQlsWC0BRF8anH+FWSrvseC3nS0a9g3sXF1Ic3
- gIqeAMhkant1Ac3RR6YCWtJKr2rcQNdDAxXK35/gUSQNCi9dclEzoOgjziuA1Mha
- 94jYcvGKcwThn0iITVS5hOsCfaySBLxTzfIruLbPxXlpWuCW/6I/7YyivppKgEZU
+ [...]
rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
Rtct3tIX
-----END CERTIFICATE-----
@@ -229,19 +216,19 @@ To see the content of your certificate, you may now enter:
@cartouche
@example
- $ gpgsm -K kerckhoffs.g10code.com
+ $ gpgsm -K example.com
/home/foo/.gnupg/pubring.kbx
---------------------------
Serial number: 4C
Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
- Subject: /CN=kerckhoffs.g10code.com
- aka: (dns-name www.g10code.com)
- aka: (dns-name ftp.g10code.com)
- validity: 2005-10-28 16:20:51 through 2007-10-28 16:20:51
- key type: 1024 bit RSA
+ Subject: /CN=example.com
+ aka: (dns-name example.com)
+ aka: (dns-name www.example.com)
+ validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
+ key type: 2048 bit RSA
key usage: digitalSignature keyEncipherment
ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
- fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:19:D8:E9:65:B9:BD:4F:B1:98:CC:57
+ fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
@end example
@end cartouche
@@ -256,7 +243,7 @@ certificate. To create such a file, run:
@cartouche
@example
- $ gpgsm --export-secret-key-p12 -a >kerckhoffs-cert.pem
+ $ gpgsm --export-secret-key-p12 -a >example.com-cert.pem
@end example
@end cartouche
@@ -266,12 +253,12 @@ certificate as well as the private key:
@cartouche
@example
- $ cat kerckhoffs-cert.pem
+ $ cat example-cert.pem
Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
Serial ...: 4C
- Subject ..: /CN=kerckhoffs.g10code.com
- aka ..: (dns-name www.g10code.com)
- aka ..: (dns-name ftp.g10code.com)
+ Subject ..: /CN=example.com
+ aka ..: (dns-name example.com)
+ aka ..: (dns-name www.example.com)
-----BEGIN PKCS12-----
MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu
diff --git a/doc/tools.texi b/doc/tools.texi
index a067eb66f..1dd1b35e9 100644
--- a/doc/tools.texi
+++ b/doc/tools.texi
@@ -15,7 +15,6 @@ GnuPG comes with a couple of smaller tools:
* addgnupghome:: Create .gnupg home directories.
* gpgconf:: Modify .gnupg home directories.
* applygnupgdefaults:: Run gpgconf for all users.
-* gpgsm-gencert.sh:: Generate an X.509 certificate request.
* gpg-preset-passphrase:: Put a passphrase into the cache.
* gpg-connect-agent:: Communicate with a running agent.
* dirmngr-client:: How to use the Dirmngr client tool.
@@ -1000,42 +999,6 @@ applygnupgdefaults
@end example
-@c
-@c GPGSM-GENCERT.SH
-@c
-@node gpgsm-gencert.sh
-@section Generate an X.509 certificate request
-@manpage gpgsm-gencert.sh.1
-@ifset manverb
-.B gpgsm-gencert.sh
-\- Generate an X.509 certificate request
-@end ifset
-
-@mansect synopsis
-@ifset manverb
-.B gpgsm-gencert.sh
-@end ifset
-
-@mansect description
-This is a simple tool to interactively generate a certificate request
-which will be printed to stdout.
-
-@manpause
-@noindent
-@command{gpgsm-gencert.sh} is invoked as:
-
-@samp{gpgsm-cencert.sh}
-
-@mansect see also
-@ifset isman
-@command{gpgsm}(1),
-@command{gpg-agent}(1),
-@command{scdaemon}(1)
-@end ifset
-@include see-also-note.texi
-
-
-
@c
@c GPG-PRESET-PASSPHRASE
@c
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 5c28954f3..496b1a6f4 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -18,7 +18,7 @@
EXTRA_DIST = \
Manifest watchgnupg.c \
- addgnupghome applygnupgdefaults gpgsm-gencert.sh \
+ addgnupghome applygnupgdefaults \
lspgpot mail-signed-keys convert-from-106 sockprox.c \
ccidmon.c ChangeLog-2011 gpg-connect-agent-w32info.rc
@@ -34,7 +34,6 @@ AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(LIBASSUAN_CFLAGS)
sbin_SCRIPTS = addgnupghome applygnupgdefaults
-bin_SCRIPTS = gpgsm-gencert.sh
if HAVE_USTAR
# bin_SCRIPTS += gpg-zip
noinst_SCRIPTS = gpg-zip
diff --git a/tools/gpgsm-gencert.sh b/tools/gpgsm-gencert.sh
deleted file mode 100755
index b209c8e5a..000000000
--- a/tools/gpgsm-gencert.sh
+++ /dev/null
@@ -1,203 +0,0 @@
-#!/bin/sh
-# -*- sh -*-
-# gpgsm-gencert.c - Generate X.509 certificates through GPGSM.
-# Copyright (C) 2004, 2005 Free Software Foundation, Inc.
-#
-# This file is part of GnuPG.
-#
-# GnuPG is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# GnuPG is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, see .
-
-set -e
-
-ASSUAN_FP_IN=4
-ASSUAN_FP_OUT=5
-
-ASSUAN_COMMANDS="\
-INPUT FD=$ASSUAN_FP_IN\n\
-OUTPUT FD=$ASSUAN_FP_OUT --armor\n\
-GENKEY\n\
-BYE\n"
-
-ANSWER=""
-
-query_user()
-{
- message=$1; shift
-
- echo "$message" >&2
- echo -n "> " >&2
- read answer
-
- ANSWER=$answer;
-}
-
-query_user_menu()
-{
- message=$1; shift
- i=0
-
- echo "$message" >&2
- for choice in "$@"; do
- i=$(expr $i + 1)
- echo " [$i] $choice" >&2
- done
-
- while true; do
- j=1
- echo -n "Your selection: " >&2
- read idx
-
- while [ $j -lt $i -o $j -eq $i ]; do
- if [ "$idx" = $j ]; then
- break
- fi
- j=$(expr $j + 1)
- done
- if [ $j -lt $i -o $j -eq $i ]; then
- break
- fi
- done
-
- i=0
- for choice in "$@"; do
- i=$(expr $i + 1)
- if [ $i -eq $idx ]; then
- ANSWER=$1
- break;
- fi
- shift
- done
-
- echo "You selected: $ANSWER" >&2
-}
-
-
-echo "WARNING: This script is deprecated; please use" >&2
-echo " gpgsm --gen-key" >&2
-echo " instead." >&2
-KEY_TYPE=""
-while [ -z "$KEY_TYPE" ]; do
- query_user_menu "Key type" "RSA" "Existing key" "Direct from card"
- case "$ANSWER" in
- RSA)
- KEY_TYPE=$ANSWER
- query_user_menu "Key length" "1024" "2048"
- KEY_LENGTH=$ANSWER
- KEY_GRIP=
- ;;
- Existing*)
- # User requested to use an existing key; need to set some dummy defaults
- query_user "Keygrip "
- if [ -n "$ANSWER" ]; then
- KEY_TYPE=RSA
- KEY_LENGTH=1024
- KEY_GRIP=$ANSWER
- fi
- ;;
- Direct*)
- tmp=$(echo 'SCD SERIALNO' | gpg-connect-agent | \
- awk '$2 == "SERIALNO" {print $3}')
- if [ -z "$tmp" ]; then
- echo "No card found" >&2
- else
- echo "Card with S/N $tmp found" >&2
- tmp=$(echo 'SCD LEARN --force' | gpg-connect-agent | \
- awk '$2 == "KEYPAIRINFO" {printf " %s", $4}')
- sshid=$(echo 'SCD GETATTR $AUTHKEYID' | gpg-connect-agent | \
- awk '$2 == "$AUTHKEYID" {print $3}')
- [ -n "$sshid" ] && echo "gpg-agent uses $sshid as ssh key" >&2
- query_user_menu "Select key " $tmp "back"
- if [ "$ANSWER" != "back" ]; then
- KEY_TYPE="card:$ANSWER"
- KEY_LENGTH=
- KEY_GRIP=
- fi
- fi
- ;;
- *)
- exit 1
- ;;
- esac
-done
-
-query_user_menu "Key usage" "sign, encrypt" "sign" "encrypt"
-KEY_USAGE=$ANSWER
-
-query_user "Name (DN)"
-NAME=$ANSWER
-
-EMAIL_ADDRESSES=
-LF=
-while : ; do
- query_user "E-Mail addresses (end with an empty line)"
- [ -z "$ANSWER" ] && break
- EMAIL_ADDRESSES="${EMAIL_ADDRESSES}${LF}Name-Email: $ANSWER"
- LF='
-'
-done
-
-DNS_ADDRESSES=
-LF=
-while : ; do
- query_user "DNS Names (optional; end with an empty line)"
- [ -z "$ANSWER" ] && break
- DNS_ADDRESSES="${DNS_ADDRESSES}${LF}Name-DNS: $ANSWER"
- LF='
-'
-done
-
-URI_ADDRESSES=
-LF=
-while : ; do
- query_user "URIs (optional; end with an empty line)"
- [ -z "$ANSWER" ] && break
- URI_ADDRESSES="${URI_ADDRESSES}${LF}Name-URI: $ANSWER"
- LF='
-'
-done
-
-file_parameter=$(mktemp "/tmp/gpgsm.XXXXXX")
-outfile=$(mktemp "/tmp/gpgsm.XXXXXX")
-
-
-(
-cat < "$file_parameter"
-
-
-echo 'Parameters for certificate request to create:' >&2
-cat -n "$file_parameter" >&2
-echo >&2
-
-query_user_menu "Really create such a CSR?" "yes" "no"
-[ "$ANSWER" != "yes" ] && exit 1
-
-
-printf "$ASSUAN_COMMANDS" | \
- gpgsm --no-log-file --debug-level none --debug-none \
- --server 4< "$file_parameter" 5>"$outfile" >/dev/null
-
-cat "$outfile"
-
-rm "$file_parameter" "$outfile"
-exit 0