Is this a bug? Primary certification-only key will not "keytocard"

Peter Lebbing peter at
Sat Jun 8 13:01:29 CEST 2013

Hello Werner and list,

I could reproduce the problem the user "Mustrum" had with moving his
certification-only primary key to a smartcard. If you have a primary key with
sign and certify abilities, you can "keytocard" it to the Signature slot of an
OpenPGP card, and it will issue certifications just fine. But you can't move a
certification-only primary key to the Signature slot.

I think I did exactly this with my own key in 2009, and it worked fine.

Also, if you trick GnuPG into moving the primary key to a smartcard, it will
issue certifications perfectly fine as well.

This message is a reply to a message where I explain how I tricked GnuPG, in the
thread "Separate OpenPGP cards for master key and sub-keys".

Is it deliberate behaviour to deny the operation? And if so, I'm very interested
to know why.

By the way, back in 2009 I used a 2048-bit key, and Mustrum ran into the problem
with a 4096-bit key. I just tried, but it won't work for a 2048-bit key either.
Obviously, the chances that it was related to keysize were already slim, but I
checked anyway.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list