using OpenPGP card as an X.509 CA?

Werner Koch wk at
Tue Jun 25 15:28:18 CEST 2013

On Tue, 25 Jun 2013 12:43, daniel at said:
> I understand the OpenPGP card can hold one X.509 certificate

Actually the card does not hold any certifciate but merely the keys and
OpenPGP fingerprints of the certificates.  You can very well use such a
key to create an X.509 certifciate:

  $ gpgsm --gen-key
  gpgsm: It is only intended for test purposes and should NOT be
  gpgsm: used in a production environment or with production keys!
  Please select what kind of key you want:
     (1) RSA
     (2) Existing key
     (3) Existing key from card
  Your selection? 3
  Serial number of the card: D2760001240102000005000001230000
  Available keys:
     (1) C003409A7489993713D22A10DD0604853FEE33F8 OPENPGP.1
     (2) C91C9AA0731D82B3B3191EA68478EAD4B5069EE8 OPENPGP.2
     (3) EC9663F3E82CEAC9734212CF13AAAA1A63B0F7DC OPENPGP.3
  Your selection? 
> Can this be used in practice to run an in-house CA to sign other X.509
> certificates, e.g. for small VPN setups?

There is no software to manage a CA but you can do it manually with gpgsm.

> Also, can the X.509 cert on the OpenPGP card be used with StrongSwan (as
> a client or server cert for VPN)?

Depends on what interface is supported.  If it uses pkcs#11 you may want
to checkout Scute.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list