To install and setup KMail to use X509 certificates you will need the following packages
installed.
Your distribution may already have installed all or some of the packages already. If not, rpm -qi [package-name] will tell you. It would be wise at this stage to update all the necessary packages that are to be installed to the latest available for your distribution.
Once all the packages are installed and before you do anything else you will need to add some environment variables to your .bashrc file and your .bash_profile file.
Add the following to your .bashrc file:
Add the following to your .bash_profile file:
The above are important especially the command to start gpg-agent in your .bash_profile file. gpg-agent must be started before starting KMail and gnupg or else you will run into problems that can be hard to figure out and where the error messages do not always inform you that the error is caused by gpg-agent not running.
At this stage log out and log back in again to start gpg-agent.
To check if gpg-agent is running enter the command gpg-agent at your prompt. You should see something similar to the following:
[graeme@barney ~]$ gpg-agent gpg-agent: gpg-agent running and available gpg-agent: secmem usage: 0/32768 bytes in 0 blocks [graeme@barney ~]$
Start KDEPIM either from your Applications Menu or from the command line. Click on 'Mail' to bring up KMail then 'Settings' --> 'Configure KMail' --> 'Security' --> 'Crypto Backends'. You should see a box with S/MIME (gpgsm) beside it and possibly, if you also installed gnupg, a box with OpenPGP (gpg). If not click on 'Rescan'. Check the box next to S/MIME (gpgsm) for X509 certificates. You can also tick the box for OpenPGP (gpg) if you wish. Click 'Configure' and see what is already configured. No need to change anything here.
We now come to the part where nothing works as expected. gpgsm is broken! It does not import any X509 certificate in .p12 format and, although it will import your X509 certificate in .crt format it is incapable of extracting the secret key and storing it in the ~/.gnupg/private-keys-v1.d directory.
There is a workaround at http://gnupg.org/aegypten/development.en.html Follow the instructions in the section on Prerequisites for using OpenPGP or S/MIME and the workaround written by Matthias Welwarsky titled How to import externally generated keys and certificates into Gpgsm
Before doing this you will need to get both your X509 certificate and the CA's root certificate *.crt format. You should be able to download the CA's root certificate in this format easily enough from their web site. Probably the easiest way to get your X509 certificate in *.crt format is to collect it from the CA's web site with a browser that isn't able to automatically insert it into itself such a Konqueror. When the CA's site tries to install it into Konqueror you will be presented with a download dialogue. Download it to a directory of your choice. You will now need to go to the CA's site with a browser that can handle X509 certificates such a Firefox. Once the certificate is loaded into Firefox export it to the same directory as before and save it in *.p12 format.
You should now have three files. One will be the CA's root certificate in .crt format, your X509 certificate in .crt format and the backup from Mozilla of your X509 certificate in .p12 format.
Add the necessary lines to the various .conf files, found in your ~/.gnupg directory, as instructed in the workaround page. Then follow the instructions on the same page to import the certificate files. Remember, gpgsm is broken but should have no difficulty in importing the .crt files but no ability to extract the secret key from the certificate bundle file and save it. You have to import the key using the workaround.
The above instructions worked for my RedHat Fedora 7 installation. They should work on most installations. The real secret to getting X509 certificate support in KMail is the workaround to overcome the deficiencies in gpgsm extracting the secret key from the certificate bundle and to ensure that gpg-agent is running before starting Kmail and gnupg.