OpenPGP card, gpgsm, decrypt

Daniel Kahn Gillmor dkg at
Wed Sep 25 18:25:33 CEST 2013

On 09/24/2013 03:36 AM, Jörg Deckert wrote:
>> You are right.  Sorry, there is no standard solution for this.  It
>> depends on how a CA handles encryption keys.  Set up your own CA and you
>> do not need a CSR.
> I have my own CA (XCA / openssl). I think I have 2 options:
>  - transfer the key from gnupg to openssl before I move it to card
>  - transfer the key from openssl to gnupg and move it to the card
> But I don't know how can I do this. Any hints?

i don't know how to do this with OpenSSL (afaict, the "openssl ca"
command does need an CSR to produce a cert).

But if you have access to the secret key for the CA, and you have the
raw public key of the would-be end-entity, you can produce a cert using
certtool (from the gnutls-bin package):

certtool --load-ca-privkey=ca-secret.key \
         --load-ca-certificate=ca-cert.pem \
         --load-pubkey="ee-pubkey.pem" \



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130925/e7aea3d0/attachment.sig>

More information about the Gnupg-users mailing list