OpenPGP card, gpgsm, decrypt
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Sep 25 18:25:33 CEST 2013
On 09/24/2013 03:36 AM, Jörg Deckert wrote:
>> You are right. Sorry, there is no standard solution for this. It
>> depends on how a CA handles encryption keys. Set up your own CA and you
>> do not need a CSR.
>
> I have my own CA (XCA / openssl). I think I have 2 options:
> - transfer the key from gnupg to openssl before I move it to card
> - transfer the key from openssl to gnupg and move it to the card
> But I don't know how can I do this. Any hints?
i don't know how to do this with OpenSSL (afaict, the "openssl ca"
command does need an CSR to produce a cert).
But if you have access to the secret key for the CA, and you have the
raw public key of the would-be end-entity, you can produce a cert using
certtool (from the gnutls-bin package):
certtool --load-ca-privkey=ca-secret.key \
--load-ca-certificate=ca-cert.pem \
--load-pubkey="ee-pubkey.pem" \
--generate-certificate
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130925/e7aea3d0/attachment.sig>
More information about the Gnupg-users
mailing list