using gpg with private keys from openssl certificates?

John Clizbe JPClizbe at
Thu Dec 18 19:52:50 CET 2008

Robert J. Hansen wrote:
> arghman wrote:
>> So (and here's where I'm less clear) if I wanted to link the assertions made
>> by my X.509 certificates and my OpenPGP keys, there's no way to
>> automatically do this. But if I were to use the same private/public key in
>> both cases, I can assert to a third party that the entity in control of the
>> certificate / keys is the same entity because they are based on the same
>> underlying cryptographic primitive.
> And the answer is the same as before: this is possible although very
> difficult and usually not worth it.

I tried this some years ago and concur with Robert.  PGP Desktop will read a
X.509 cert into its keyring. What you get is a RSA key with no expiration date
with a CA certification as a signature packet which has no impact on the key's
functionality once it expires. That's not the way X.509 is supposed to work.

This key pair may be exported and imported into GnuPG where it will be seen as a
nonselfsigned key with an invalid signature packet (the CA certification).

C:\WINNT>gpg --list-key 0xbe81a801
pub   2048R/BE81A801 2005-09-16
uid                  Thawte Freemail Member <John.Clizbe at>

C:\WINNT>gpg --list-sigs 0xbe81a801
pub   2048R/BE81A801 2005-09-16
uid                  Thawte Freemail Member <John.Clizbe at>
sig       X  00000000 2005-09-16  [User ID not found]

You can use the raw key material from a X.509 cert in GnuPG after you've
massaged and cleaned it up a bit. But it really doesn't gain you anything. Each
of the two copies have no effect on the other. The CA's certification is ignored
in OpenPGP. Any additional OpenPGP signatures have no effect on the X.509
validity or trust.

IMO, A lot of work for no real benefit.


John P. Clizbe                      Inet:John (a)
You can't spell fiasco without SCO. hkp://  or
     mailto:pgp-public-keys at

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 680 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20081218/ffab7ec8/attachment-0001.pgp>

More information about the Gnupg-users mailing list