Creating a subkey from an existing key

Werner Koch wk at
Mon Nov 7 09:55:26 CET 2011


GPGSM has a way to create a self-signed certificate or a certificate
signing requests using an existing key.  This feature was missing from
GPG, thus I added it.  If you use the *development version* of GnuPG
(GIT master), you may now add a subkey to your key using an already
existing key.  This can be used to turn a key originally created for
X.509 into an OpenPGP subkey.  You can also do all other kind of useless
tricks.  Example:

  $ gpg --expert --edit-key foo
  gpg> addkey
  Please select what kind of key you want:
     (3) DSA (sign only)
     (4) RSA (sign only)
     (5) Elgamal (encrypt only)
     (6) RSA (encrypt only)
     (7) DSA (set your own capabilities)
     (8) RSA (set your own capabilities)
    (10) ECDSA (sign only)
    (11) ECDSA (set your own capabilities)
    (12) ECDH (encrypt only)
    (13) Existing key
  Your selection? 13
  Enter the keygrip: dddd
  Not a valid keygrip (expecting 40 hex digits)
  Enter the keygrip: 767FE23B5382793B50A27A282D9B87E44577EB69
  Possible actions for a DSA key: Sign Authenticate 
  Current allowed actions: Sign 
     (S) Toggle the sign capability
     (A) Toggle the authenticate capability
     (Q) Finished
  Your selection? q
  Please specify how long the key should be valid.
           0 = key does not expire
        <n>  = key expires in n days
        <n>w = key expires in n weeks
        <n>m = key expires in n months
        <n>y = key expires in n years
  Key is valid for? (0) 
  Key does not expire at all
  Is this correct? (y/N) y
  Really create? (y/N) y
  pub  [...]
  sub  1024D/12345678  created: 2011-11-07  expires: never       usage: S   
  gpg> save

To see the keygrips of a key you can may use the option --with-keygrip.
Extending this feature to the primary key is possible, I was merely too
lazy to implement.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list