LOTW information
Here is some information applicable to the following situation:
- you have a backup of an LOTW .tq6 file
- you have a backup of another LOTW file containing your RSA private key
- you do not have a backup of an LOTW .p12 file
- you want to use your backups to setup LOTW on a new computer
As far as I know, the official LOTW documentation does not cover this
situation and advises you to make a new certificate request. This
seems unnecessary. The following is an outline of the approximate steps.
This documentation assumes that the reader is able to use command-line
programs in a Linux, OS X, or UNIX environment, and is able to
edit text files. For this example, assume this applies to LOTW setup
for the callsign W1AW. This example does not discuss how to preserve station locations; it is only about
preserving your ability to authenticate for log signing.
- gunzip -c W1AW.tq6 > W1AW.tq6.unzipped
- open W1AW.tq6.unzipped in a text editor
- manually convert the multiple certificates to PEM format by removing all of the XML markup
You want the file to end up looking like the following. (This example has three certificates; more are possible.) There is one blank line after
the last "-----END CERTIFICATE-----" line for readability purposes later.
-----BEGIN CERTIFICATE-----
various base64 data
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
various base64 data
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
various base64 data
-----END CERTIFICATE-----
You do not want to preserve any of the configuration data (aka tqslconfig) after the
three certificates. The "</usercert>" line and everything after it should be discarded.
- save the edited W1AW.tq6.unzipped file
- find the LOTW file containing your RSA private key
- the location of this file might depend on your operating system, original
version of LOTW, or other factors
- one possible location is ~/.tqsl/keys/W1AW
- this file contains private data: you may need to stay aware of the
file permissions, and avoid placing this file on a public web server or
emailing this file to untrusted persons
- copy this file to W1AW.rsa
- extract only the RSA PRIVATE KEY block without the extra markup (if there is more than one such block, choose the last one)
You want it to end up looking like:
-----BEGIN RSA PRIVATE KEY-----
various base64 data
-----END RSA PRIVATE KEY-----
You do not need anything after the "-----END RSA PRIVATE KEY-----" line. In particular,
you should not keep the "BEGIN PUBLIC KEY" section.
- save the edited W1AW.rsa file, again keeping in mind that this is private data
- cat W1AW.tq6.unzipped W1AW.rsa > W1AW.pem
- openssl pkcs12 -export -in W1AW.pem > W1AW.p12
- if you see an "asn1 encoding routines" error message, then the W1AW.pem file is not in the right format:
you may need to redo all of the steps more carefully or adapt them to your specific environment
- press "Enter" after both Export Password prompts to have a blank password
- because W1AW.pem and W1AW.p12 contain all of the W1AW.rsa information, they are also private data
- note that, although W1AW.pem is a text file, W1AW.p12 is not a text file (it is a binary file)
- go to https://lotw.arrl.org/lotw-help/moving/ step 3
- in other words, within the TQSL application, you will be able to select the W1AW.p12 file as a "Callsign Certificate container file"