Scute keys (was: How do I import an X.509 Certificate onto an OpenPGP smartcard?)

Werner Koch wk at
Tue Feb 15 10:39:30 CET 2011

On Sun, 13 Feb 2011 01:41, kgo at said:

> Thirdly, the SCUTE docs start by generating a certificate request from
> your OpenPGP authentication key.  In this scenario, are you just using
> the Same RSA key for both your OpenPGP and X509 certificates?  Does the

Yes, it is possible to create a CSR from an existing key.  If you run
gpgsm --gen-key you see

  Please select what kind of key you want:
     (1) RSA
     (2) Existing key
     (3) Existing key from card
  Your selection? 2
  Enter the keygrip: 

With GnuPG 2.1 you may now easily use any existing key,  run

  gpg[sm] --with-keygrip -K

to get the keygrip.  The keygrip is also used as the name of the file
holding the key at private-keys-v1.d/.

IIRC, Scute does exactly this.  I have not looked at Scute for a long
time thus you better check yourself.

> certificate imported into gpgsm just contain the public key and the CA's
> signature and somehow defer operations to the card?

Yes, you have to run gpgsm --learn-card first so that the agent knows
what public keys are stored on the card.  The certificates on the cards
are in general not necessary.  If the card contains X.509 certificates,
gpgsm --learn-card will import them for future use.  Scute usually
fetches the certificates via gpgsm but will also take care of the
certificates stored on the card.  This clearly needs more documentation.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list