gpgsm and expired certificates

Pete Stephenson pete at
Sun Oct 27 11:13:22 CET 2013

On Sun, Oct 27, 2013 at 11:01 AM, Uwe Brauer <oub at> wrote:
>    > If you generate a new keypair for the new certificate (which is
>    > probably a good idea) then gpgsm (and presumably any other
>    > certificate-using software) will figure out what private key will be
>    > needed to decrypt a particular message and, so long as you still have
>    > the private key on your system, will use it as needed even if the
>    > corresponding certificate has expired.
> So gpgsm (and others) will also figure out which private key to use for
> signing: that is the new one, once the old certificate is expired?
> Which means in the case of smime, also to embedd the corresponding
> new public key in the signature.

I can't speak specifically for gpgsm, as I only use GPG with OpenPGP
keys and not x.509 certs, but I would venture that the answer to your
question is "yes, gpgsm will select the correct private key for
signing" as that's standard behavior for such software.

Werner or others could answer authoritatively.

Pete Stephenson

More information about the Gnupg-users mailing list