Page MenuHome GnuPG
Create Task
Maniphest T6117

Kleopatra: Make creation of S/MIME certificate signing request accessible
Testing, NormalPublic
Actions

Description

Edit 2025-07-21

We want to:

  • model the CSR after the OpenPGP key creation dialog, show only name and email, hide all other fields behind "advanced settings"
    • order of advanced settings: algorithm, usage, L, OU, O, C, additional mail addresses, DNS names, URIs
    • use simple multi line text inputs for the last 3 items
    • remove display of DN
  • show a Save File dialog after successful creation of the CSR instead of the result dialog.

This is the S/MIME counterpart of T5832: Kleopatra: Make OpenPGP certificate generation (with default settings) accessible.

Revisions and Commits

rLIBKLEO Libkleo
rLIBKLEO1c40a7fd72cb Return texts that were set as labels
rLIBKLEO02d4d8854eca Add getters for some properties of FormTextInput
rLIBKLEO29fdf1f8748d Don't make the dialog larger than necessary
rLIBKLEOe14d57cdd8d5 Fix duplicate "Error: " prefix of error messages
rLIBKLEO32ee8b8baf9b Make a few validation helpers public
rLIBKLEO98f3d1defba7 Avoid indentation of widgets inside AnimatedExpander
rLIBKLEOff0a8f2521f4 Export FormTextInput to allow usage in Kleopatra
rLIBKLEO5ecb49f14460 Avoid incorrect height of collapsed expander
rLIBKLEO12a0eab2fafb Make AnimatedExpander public
rLIBKLEO2edf1f1d652e Pimpl AnimatedExpander
rKLEOPATRA Kleopatra
rKLEOPATRAcd0f64f1bde5 Use prefilled CN/EMAIL if no CN/EMAIL is configured
rKLEOPATRAfea96ba9999e Unify saving of generated CSRs to disk
rKLEOPATRA1f94bca61784 Use same dialog as for creation of CSRs from scratch
rKLEOPATRA8ea3b5bdb6e1 Make dialog usable for CSR creation for smartcard keys
rKLEOPATRA7ca8d2facd79 Get rid of separation of technical and non-technical key parameters
rKLEOPATRAdbb2a88a5202 GIT_SILENT Define all member functions in definition of Private class
rKLEOPATRAd4024a0f103b Fix setting the algorithm via the key parameters
rKLEOPATRA96c8e70ca23b Add missing checks for errors and improve error messages
rKLEOPATRA3ea1c233a9c9 Remove old NewCertificateWizard
rKLEOPATRA9590d0cbca52 Use new CSR dialog for creation of CSRs
rKLEOPATRA17adaf55476d Add a new dialog for entering the data for a CSR
rKLEOPATRAca3ff86ef814 Use AnimatedExpander from libkleo

Related Objects
Search...

StatusAssignedTask
Unknown Object (Maniphest Task)
Unknown Object (Maniphest Task)
Unknown Object (Maniphest Task)
 OpenNoneT5824 Kleopatra: Full accessibility support
 Testing ikloeckerT6117 Kleopatra: Make creation of S/MIME certificate signing request accessible

Event Timeline

ikloecker triaged this task as Normal priority.Aug 1 2022, 4:51 PM
ikloecker created this task.
ikloecker mentioned this in T5832: Kleopatra: Make OpenPGP certificate generation (with default settings) accessible.
aheinecke mentioned this in T4699: X.509 certificate request more comfortable.Feb 28 2023, 9:03 AM
aheinecke merged a task: T4699: X.509 certificate request more comfortable.
aheinecke added a subscriber: Joey_D.
aheinecke added a comment.Feb 28 2023, 9:24 AM

I have closed T4699 as a duplicate of this, even though T4699 was about simplification but IMO this is the same underlying problem.

My wish would be to unify this more with the OpenPGP dialog. Only ask about Name and Mail and extend the OpenPGP dialog to accept more then one mail Adress similar to the S/MIME dialog. All other things for the CN should be hidden by default.

ebo updated the task description. (Show Details)Jul 21 2025, 4:10 PM
ebo edited projects, added vsd34, gpd5x, a11y; removed Restricted Project.
ebo updated the task description. (Show Details)Jul 21 2025, 4:13 PM
ebo updated the task description. (Show Details)Jul 21 2025, 4:18 PM
ikloecker mentioned this in Unknown Object (Maniphest Task).Jul 28 2025, 4:30 PM
ikloecker added a parent task: Unknown Object (Maniphest Task).
ikloecker mentioned this in Unknown Object (Maniphest Task).Jul 29 2025, 9:46 AM
ikloecker added a parent task: Unknown Object (Maniphest Task).Jul 29 2025, 9:48 AM
ikloecker claimed this task.Aug 4 2025, 9:30 AM
ikloecker mentioned this in Unknown Object (Maniphest Task).Aug 4 2025, 9:37 AM
ikloecker mentioned this in Unknown Object (Maniphest Task).Aug 11 2025, 9:22 AM
ikloecker added a commit: rLIBKLEO2edf1f1d652e: Pimpl AnimatedExpander.Aug 18 2025, 5:35 PM
ikloecker added a commit: rLIBKLEO12a0eab2fafb: Make AnimatedExpander public.
ikloecker added a commit: rKLEOPATRAca3ff86ef814: Use AnimatedExpander from libkleo.Aug 18 2025, 5:47 PM
ikloecker mentioned this in Unknown Object (Maniphest Task).Aug 25 2025, 9:59 AM
ikloecker moved this task from Backlog to WIP on the gpd5x board.Aug 25 2025, 11:40 AM
ikloecker added a commit: rLIBKLEO5ecb49f14460: Avoid incorrect height of collapsed expander.Aug 28 2025, 3:41 PM
ikloecker added a commit: rLIBKLEOe14d57cdd8d5: Fix duplicate "Error: " prefix of error messages.
ikloecker added a commit: rLIBKLEOff0a8f2521f4: Export FormTextInput to allow usage in Kleopatra.
ikloecker added a commit: rLIBKLEO98f3d1defba7: Avoid indentation of widgets inside AnimatedExpander.
ikloecker added a commit: rLIBKLEO32ee8b8baf9b: Make a few validation helpers public.
ikloecker added a commit: rLIBKLEO29fdf1f8748d: Don't make the dialog larger than necessary.
ikloecker added a commit: rKLEOPATRA17adaf55476d: Add a new dialog for entering the data for a CSR.Aug 28 2025, 4:58 PM
ikloecker added a commit: rKLEOPATRA9590d0cbca52: Use new CSR dialog for creation of CSRs.
ikloecker added a commit: rKLEOPATRA3ea1c233a9c9: Remove old NewCertificateWizard.
ikloecker mentioned this in Unknown Object (Maniphest Task).Sep 1 2025, 9:37 AM
ikloecker added a commit: rLIBKLEO02d4d8854eca: Add getters for some properties of FormTextInput.Sep 1 2025, 5:25 PM
ikloecker added a commit: rLIBKLEO1c40a7fd72cb: Return texts that were set as labels.
ikloecker added a commit: rKLEOPATRA96c8e70ca23b: Add missing checks for errors and improve error messages.Sep 1 2025, 5:30 PM
ikloecker added a commit: rKLEOPATRAdbb2a88a5202: GIT_SILENT Define all member functions in definition of Private class.Sep 2 2025, 11:19 AM
ikloecker added a commit: rKLEOPATRAd4024a0f103b: Fix setting the algorithm via the key parameters.
ikloecker added a commit: rKLEOPATRA7ca8d2facd79: Get rid of separation of technical and non-technical key parameters.
ikloecker added a commit: rKLEOPATRA8ea3b5bdb6e1: Make dialog usable for CSR creation for smartcard keys.
ikloecker added a commit: rKLEOPATRA1f94bca61784: Use same dialog as for creation of CSRs from scratch.
ikloecker added a commit: rKLEOPATRAfea96ba9999e: Unify saving of generated CSRs to disk.Sep 2 2025, 4:05 PM
ikloecker added a comment.Sep 2 2025, 4:52 PM

Notes for testing (and maybe documentation update):

  • A few features (?) of the old CSR creation have been removed:
    • The different choices offered after CSR creation (e.g. save to file, send to CA, create signing/encryption CSR with same settings, etc.) have been removed; now a file save dialog pops up when the CSR has been generated
    • Custom labels for the RSA key sizes ([CertificateCreationWizard]RSAKeySizeLabels); we use GnuPG's algorithm IDs as labels (items in the drop down box)
    • Custom key type ([CertificateCreationWizard]CMSKeyType); CSR creation supported (and still supports) only RSA as "key type"; by marking the config key as immutable one could force the creation of signing+encryption CSRs which makes little sense for S/MIME and might have been "copied" from OpenPGP key creation where forcing the generation of keys for signing & encryption does make some sense.
    • Specification of the CA's email address ([CertificateCreationWizard]CAEmailAddress); the generated CSRs are now always written to disk; the users will have to create an email themselves

The following customization is still available/supported via config entries in the [CertificateCreationWizard] group:

  • RSAKeySizes: the allowed RSA key sizes; only 2048, 3072, and 4096 are supported; defaults to the compliant RSA algorithms; the default RSA key size can be specified by listing the negative size (e.g. -4096); defaults to the built-in default of gpgsm (currently, RSA 3072)
  • DNAttributeOrder: the DN attributes that shall be offered when creating a CSR; defaults to L,OU,O,C; attributes can be flagged as required by appending a ! to their name; CN! and EMAIL! are implicitly included and always listed first; in particular, CN and EMAIL are required by default; check the DN-Attribute Order configuration in the settings dialog for other supported attributes (but note that the DN-Attribute Order configuration is only used when displaying DNs)
  • For all attributes the following config entries are supported (where ATTR is the name of the attribute):
    • ATTR: The default value to use for the attribute; if flagged as immutable then the user cannot change the value
    • ATTR_label: The label to display in the CSR creation dialog
    • ATTR_hint (or ATTR_placeholder): A hint to display in the CSR creation dialog, e.g. if a certain format is required
    • ATTR_regex: A regular expression to enforce values matching the regular expression
ikloecker changed the task status from Open to Testing.Sep 2 2025, 4:53 PM
timegrid moved this task from WIP to QA on the gpd5x board.Sep 9 2025, 3:52 PM
timegrid moved this task from QA to Done on the gpd5x board.Sep 11 2025, 2:09 PM
timegrid added a subscriber: timegrid.

Looks good to me on gpg4win-5.0.0-beta369 @ win10

  • initial form is reduced
  • order of advanced fields is correct
  • last 3 input fields are simple
  • dn is not shown
  • file save dialog pops up after creation

Generated requests:

  • Only required fields (name, email)
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN=csr test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    [...]
                Exponent: 65537 (0x10001)
        Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name:
                    email:test.csr@gnupg.test
                X509v3 Key Usage: critical
                    Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        [...]
  • All fields (signing only, rsa4096)
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C=COUNTRY CODE, O=ORGANIZATION, OU=ORGANIZATIONAL UNIT, L=LOCATION, CN=csr all fields
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    [...]
                Exponent: 65537 (0x10001)
        Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name:
                    URI:http://gnupg.test, URI:http://gpg.test, DNS:gnupg.test, DNS:gpg.test, email:allfields.csr@gnupg.test, email:add1.allfields.csr@gnupg.test, email:add2.allfields.csr@gnupg.test, email:add3.allfields.csr@gnupg.test
                X509v3 Key Usage: critical
                    Key Encipherment, Data Encipherment
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        [...]

Also the kleopatrarc settings seems to work, e.g.

[CertificateCreationWizard]
RSAKeySizes=2048,4096
DNAttributeOrder=C,L,O!,OU!

CN=CN
CN_label=CN_label
CN_hint=CN_hint
CN_regex=CN_*

EMAIL=EMAIL
EMAIL_label=EMAIL_label
EMAIL_hint=EMAIL_hint
EMAIL_regex=EMAIL_*

OU[$i]=OU
OU_label=OU_label
OU_hint=OU_hint
OU_regex=OU_*

O[$i]=O
O_label=O_label
O_hint=O_hint
O_regex=O_*

L[$i]=L
L_label=L_label
L_hint=L_hint
L_regex=L_*

C[$i]=C
C_label=C_label
C_hint=C_hint
C_regex=C_*

[CertificateCreationWizard]
DNAttributeOrder=FAX!
FAX=FAX
FAX_label=FAX_label
FAX_hint=FAX_hint
FAX_regex=FAX_*

Notes (probably as intended):

  • [$i]mmutable does not work for CN or EMAIL
  • _X_ does not work as ATTR
ikloecker mentioned this in Unknown Object (Maniphest Task).Sep 15 2025, 9:51 AM
ikloecker added a comment.Sep 15 2025, 2:21 PM
In T6117#205277, @timegrid wrote:
  • All fields (signing only, rsa4096)
Certificate Request:

[...]

X509v3 Key Usage: critical
    Key Encipherment, Data Encipherment



I guess this is a typo because the CSR looks like an encryption-only certificate.
 ikloecker added a comment.Sep 15 2025, 2:32 PM


In T6117#205277, @timegrid wrote:


Notes (probably as intended):



    

  • [$i]mmutable does not work for CN or EMAIL
    • 






Yes. I don't think it makes much sense for an organization to force a fixed CN or EMAIL for the CSRs of a user.



    

  • _X_ does not work as ATTR
    • 




Yes. _X_ is the placeholder/wildcard used for unknown attributes when displaying S/MIME certificates.
 ikloecker added a commit: rKLEOPATRAcd0f64f1bde5: Use prefilled CN/EMAIL if no CN/EMAIL is configured.Sep 16 2025, 3:40 PM
 ikloecker added a comment.Sep 16 2025, 3:48 PM
I found and fixed a bug (likely a regression in the new code): When CN_prefill or EMAIL_prefill is configured as true and no fixed CN or EMAIL is configured then Kleopatra should prefill Name and Email with values taken from CONFIGDIR/emaildefaults (used by KDE apps on Linux), from the Windows user or from the EMAIL environment variable. This didn't work anymore.
 ikloecker mentioned this in Unknown Object (Maniphest Task).Sep 22 2025, 9:55 AM
timegrid added a comment.Sep 22 2025, 9:58 AM


In T6117#205379, @ikloecker wrote:


I guess this is a typo because the CSR looks like an encryption-only certificate.





Right, sorry, this works as expected:



Sign only:



X509v3 Key Usage: critical
    Digital Signature, Non Repudiation



Encrypt only:



X509v3 Key Usage: critical
    Key Encipherment, Data Encipherment