Is it possible to create GnuPG keys from a x509 cert/key pair?

Question

I have a digital cert issued by my organization for signing email. It's imported into Thunderbird and the key and cert can be exported to a .p12 from within Thunderbird.

I'd like to use the .p12 to generate a GnuPG key pair for use with the Thunderbird Enigmail extension. Is this possible to do or are the technologies just way to different.

I've been able to export both the private key and cert to x509 certs. I've imported the private key to GnuPG via gpgsm. If I issue gpgsm --list-secret-keys, I get (some info redacted):

$ gpgsm --list-secret-keys  
/home/use/.gnupg/pubring.kbx
--------------------------------
           ID: 0xFFFFFFFFAxxx
          S/N: 00C2A8Exxx
       Issuer: /CN=COMODO SHA-256 Client Authentication and Secure Email CA/O=COMODO CA Limited/L=Salford/ST=Greater Manchester/C=GB
      Subject: /CN=xxx/.../C=US/EMail=user@domain.com/...
          aka: useralias@domain.com
          aka: user@domain.com
     validity: 2017-03-28 00:00:00 through 2020-03-27 23:59:59
     key type: 2048 bit RSA
    key usage: digitalSignature keyEncipherment
ext key usage: emailProtection (suggested), clientAuth (suggested)
     policies: 1.3.6.1.4.1.6449.1.2.1.3.5:N:
  fingerprint: B2:8F:37:BA:xxx

Do I need to import the public key into gnupg as well? It doesn't show up when I do --list-keys. Also, do I then need to export the key pair from GnuPG for use with Enigmail?

Answer 1

While X.509 and OpenPGP share the same cryptographic algorithms, both have incompatible formats and certification/trust models (hierarchical vs. web of trust). Theoretically you could convert the keys between the formats, but you would lose certificates on the key and still could not use the key to communicate with people using the other system. You would still handle the keys as a completely different key pair, but at the same time expose it to issues in both systems/implementations.

gpgsm is a GnuPG implementation of GnuPG, but not supported by Thunderbird and Enigmail. As you already realized, Thunderbird has built-in support for X.509 -- you can manage the keys in the preferences (Advanced, then Certificates).