secret key export in p12 format

Hi All,

I am trying to export my certificate and private key as p12 file to install a smartcard. But my Kleopatra does not allow p12 type file name. When i select to “Export Secret Keys” choice. It wants a file name from me. When i write a file name with p12 extention (eg: a.p12), it changed the file extention to gpg (eg: a.gpg).

Thanks in advance.


As far as I know, Kleopatra will only export X.509 (S/MIME) certificates as .p12 (or .der) files. All OpenPGP keys are exported as .asc, .pgp or .gpg. I think this has something to do with the format of the keys, but I’m not sure.

Sean C.

The p12 format is a part of the mystery of X509 which is not well explained in the Kleopatra manual, unfortunately. The Kleopatra Help manual does provide an indication for export of S/MIME secret keys (x509) … "See the discussion of the --p12-charset charset option in the GpgSM manual for more details. "
If you find this manual, it would be good to say where. I suspect you’ll have to explore the “gnupg-xxxxxxx.tar.bz2” for further details of the treatment of S/MIME certificates.

There are several sources for free X.509 certificates on the web. I got one from StartCom ( Once imported, the certificate can be used just like an OpenPGP key to encrypt and sign files, but with the added benefit of varying levels of verification by a third party. Options for X.509 certificates in Kleopatra become available automatically after the certificate is imported. Kleopatra automatically exports X.509 certificates in .p12 or .der formats.

These links may be useful:

And for Philip:

Sean C.

Thanks for this info Sean - I’ll follow up your links over the next period when I’ve some time.

I’ve got a free 509 certificate through CAcert. It works well for logins to their website, also it works fine for signing OpenOffice documents. On the other hand, I cannot use it through Gpg4win to encrypt and sign documents because I cannot get Kleopatra to trust the root certificate.
Unlike gpg web of trust procedures, an X509 certificate is only trusted if the whole chain up to and including the root is trusted and there lies my entire 509 problem with Kleopatra. I think (I may be mistaken) that I’ve complied with all the recommendations in the Kleopatra / Gpg4win documentation but when I click on “trust root certificate”, Kleopatra rewrites my trustlist.txt file but the root is still not trusted.

Furthermore, as long as I configure Kleopatra to use the CAcert CRL, it takes over 20 minutes after start-up before Kleopatra displays any certificate (gpg or 509). If I disable the CRL checks, Kleopatra starts up practically instantaneously with all certs displayed.

I am left with several doubts :

  • have I missed something?
  • have I given an incorrect instruction to Kleopatra re lookups of CRL ?
  • is Kleopatra looking in the wrong place for some info it needs in Win7 64 bit ? (there is some evidence in the documentation that it may not have been fully updated for 64 bit Windows)

In the meantime, I’m still seeking to improve my knowledge on X509 but I’m relying only on gpg encryption and leaving X509 unused until I find the answer I’m seeking.

As was discussed in one of the gpg4win-mailinglists: CaCert
uses CRLs in a slightly broken way, they are really big and do not have a reasonable
time-to-live (expiration date), so for each checked certificated a new one is generated.