Generating GnuPG S/MINE key pair

Dan Bryant dkbryant at
Mon Apr 27 22:07:38 CEST 2015

TL;DR: gpgsm import fails with "no issuer found in certificate"

I'm trying to generate a key-pair for GnuPG S/MINE strictly for
instructional reasons.  I'll concede that I'm using a weak CA, but I'm
trying to image how the CA maintainers do this task as well.  So, for my
instruction, I'm trying to do the following:

I started off just wanting to create a GnuPG S/MINE key-pair.  I soon found
out that gpgsm requires key-pars to be externally signed by a CA.  So now
I'm trying to do the whole process, make-key, sign-key, import-key

   1. Create a CA with a new RSA key-pair (openSSL)
   2. Generate a new GnuPG S/MINE key-pair (gpgsm)
   3. Sign the GnuPG S/MINE key-pair with my fictitious CA above (openssl)
   4. Import the now signed GnuPG S/MINE key-pair into my gpgsm key-ring.

So I theory I thought this should work, but I've botched it somewhere along
the way.  Again... this is for INSTRUCTIONAL purposes.  I realize a self
signed CA is about as secure as a post-it on a monitor.  Trying to learn...

Here's what I tried (for those unfamiliar with Windows, the '^' is a line

-- gpgsm
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
gpgsm --gen-key > unsigned.pem
gpg-protect-tool --p12-export ^
   %appdata%\gnupg\private-keys-v1.d\{keygrip_from_prev_gen_key_cmd}.key ^
   > kgfpgkc.p12
openssl pkcs12 -in kgfpgkc.p12 -nocerts -out kgfpgkc.pem
openssl x509 -x509toreq -signkey kgfpgkc.pem ^
   -in unsigned.pem -out unsigned.csr
openssl x509 -req -CA rootCA.pem -CAkey rootCA.key -CAcreateserial ^
    -in unsigned.csr -out signed.pem -days 500
gpgsm --import signed.pem
gpgsm: no issuer found in certificate
gpgsm: basic certificate checks failed - not imported
gpgsm: no issuer found in certificate
gpgsm: basic certificate checks failed - not imported
gpgsm: ksba_cert_hash failed: No value
gpgsm: total number processed: 2
gpgsm:           not imported: 2

So... Why did the issuer check fail?  Do I need to import my fake CA (tried
that).  If so, how?  Is there an option to provide a PEM to serve as the
root CA (like Python)?  Also tried coping rootCA.pem to com-certs.pem, but
no luck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150427/c25635cb/attachment.html>

More information about the Gnupg-users mailing list