Creating X.509 certificates with GnuPG

Werner Koch wk at
Tue Mar 1 18:15:24 CET 2011


those who follow the commit list may have noticed it: It is now possible
to create an X.509 certificate using GPGSM.  The reason I implemented
this is that it was pretty easy to twist the PKCS#10 generation code to
allow the creation of X.509 certificates directly.  Another reasons is
that I was never able to recall the OpenSSL commands to create a
certificate (in particular not if you want an rfc822Name).

Here is how the UI looks:

  $ gpgsm --gen-key >x.pem  
  Please select what kind of key you want:
     (1) RSA
     (2) Existing key
     (3) Existing key from card
  Your selection? 1
  What keysize do you want? (2048) 
  Requested keysize is 2048 bits
  Possible actions for a RSA key:
     (1) sign, encrypt
     (2) sign
     (3) encrypt
  Your selection? 1
  Enter the X.509 subject name: CN=Joe Hacker, O=Hackers United, C=unv
  Enter email addresses (end with an empty line):
  > joe at
  > joe.hacker at
  Enter DNS names (optional; end with an empty line):
  Enter URIs (optional; end with an empty line):
  Create self-signed certificate? (y/N) y
  These parameters are used:
      Key-Type: RSA
      Key-Length: 2048
      Key-Usage: sign, encrypt
      Serial: random
      Name-DN: CN=Joe Hacker, O=Hackers United, C=unv
      Name-Email: joe at
      Name-Email: joe.hacker at
  Proceed with creation? (y/N) y
  Now creating self-signed certificate.  This may take a while ...
  gpgsm: about to sign the certificate for key: &B71FA28BCE8B2[...]
  gpgsm: certificate created
  $ gpgsm --import x.pem
  gpgsm: certificate imported
  gpgsm: total number processed: 1
  gpgsm:               imported: 1
Running gpgsm -k on it shows:  

           ID: 0x159A7D3D
          S/N: 6E3E32BC38A687E8
       Issuer: /CN=Joe Hacker/O=Hackers United/C=unv
      Subject: /CN=Joe Hacker/O=Hackers United/C=unv
          aka: joe at
          aka: joe.hacker at
     validity: 2011-03-01 17:02:46 through 2063-04-05 17:00:00
     key type: 2048 bit RSA
 chain length: unlimited
  fingerprint: A0:31:50:B1:A4:56:FD:54:63:35:5F:25:59:F5:7A:B5:15:9A:7D:3D

Now if you want a "real" certificate you use the option --batch along
with a proper parameter file; the manual explains them all.  This
feature may even be used to write a proper CA tool.  Note that the DNS
name prompt is useful to create server certificates.  Surprisingly the
"existing key" options are useful to create certificates from already
existing keys (e.g. an OpenPGP keys).

You need the latest gnupg from git and the new libksba 1.2.0.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list