Certificate Authority using ed25519 key on Gnuk?

[Terminada]

On 4/10/24 10:20, NIIBE Yutaka wrote:
> Terminada wrote:
> 
>> It appears that gpgsm supports creating a self signed CA but maybe only
>> for RSA keys?
> 
> I don't know for X.509 CA use cases.  Could you please ask gnupg-devel?

Yes, it seems that the failure relates to unimplemented functionality in 
gpg-agent / gpgsm, rather than Gnuk.

I'll sign up to gnupg-devel and ask.

> 
> For X.509 Ed25519 support, it would not be tested well or it's buggy,
> and the UI is not that good.  Although I don't know if it's related, for
> X.509 EdDSA certificates, I can find this commit:
> 
>      https://dev.gnupg.org/rG6dc3846d78192e393be73c16c72750734a9174d1
> 
That link gave me hope so I installed the lastest development version of 
gnupg and all dependencies and re-tried using the same parameter file 
demonstrated in the commit that you linked (but with my keygrip). 
Unfortunately gpgsm wouldn't work and I got a message saying "Signing 
failed: Not implemented".

It seems strange to me that more people don't want to use ed25519 keys 
protected by a smartcard as the basis for their self-signed CA.  The 
ed25519 keys have become much more commonly used and they seem better 
suited for use on devices with limited resources like a smartcard.

Do you know if there is a way I can work around the gpgsm inadequacy? 
Is there some way that I can do part of the self signed CA creation with 
openssl and then sign using gpg-agent talking to Gnuk?  For example, I 
believe it might be possible to use the ssh key equivalent of the gpg 
private key in openssl to create the self signed CA.  However, I will 
still need to sign user CSRs after the private key is residing on my 
Gnuk token, which doesn't seem possible?