Generating GnuPG S/MINE key pair

Dan Bryant dkbryant at
Tue Apr 28 04:22:39 CEST 2015

OK... I found some very old posts about this... don't know how much still holds.

This guide says:
1. Convert rootCA.pem to rootCA.der
2. Place rootCA.der in dirmngr\trusted-certs
3. Ensure rootCA.der has revocation URL (??can disable??)
4. Add rootCA.der fingerprint to trustlist.txt
5. Restart dirmngr service and gpg-agent

Don't know... you think that will work?

BTW.. Here's the versions of the previously mentioned utilities:
- OpenSSL 1.0.2a 19 Mar 2015
- gpg-protect-tool (GnuPG) 2.0.27 (Gpg4win 2.2.4)
- gpgsm (GnuPG) 2.1.3

On Mon, Apr 27, 2015 at 3:07 PM, Dan Bryant <dkbryant at> wrote:
> TL;DR: gpgsm import fails with "no issuer found in certificate"
> I'm trying to generate a key-pair for GnuPG S/MINE strictly for
> instructional reasons.  I'll concede that I'm using a weak CA, but I'm
> trying to image how the CA maintainers do this task as well.  So, for my
> instruction, I'm trying to do the following:
> I started off just wanting to create a GnuPG S/MINE key-pair.  I soon found
> out that gpgsm requires key-pars to be externally signed by a CA.  So now
> I'm trying to do the whole process, make-key, sign-key, import-key
>   1. Create a CA with a new RSA key-pair (openSSL)
>   2. Generate a new GnuPG S/MINE key-pair (gpgsm)
>   3. Sign the GnuPG S/MINE key-pair with my fictitious CA above (openssl)
>   4. Import the now signed GnuPG S/MINE key-pair into my gpgsm key-ring.
> So I theory I thought this should work, but I've botched it somewhere along
> the way.  Again... this is for INSTRUCTIONAL purposes.  I realize a self
> signed CA is about as secure as a post-it on a monitor.  Trying to learn...
> Here's what I tried (for those unfamiliar with Windows, the '^' is a line
> continuation).
> -- gpgsm
> openssl genrsa -out rootCA.key 2048
> openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
> gpgsm --gen-key > unsigned.pem
> gpg-protect-tool --p12-export ^
>    %appdata%\gnupg\private-keys-v1.d\{keygrip_from_prev_gen_key_cmd}.key ^
>    > kgfpgkc.p12
> openssl pkcs12 -in kgfpgkc.p12 -nocerts -out kgfpgkc.pem
> openssl x509 -x509toreq -signkey kgfpgkc.pem ^
>    -in unsigned.pem -out unsigned.csr
> openssl x509 -req -CA rootCA.pem -CAkey rootCA.key -CAcreateserial ^
>     -in unsigned.csr -out signed.pem -days 500
> gpgsm --import signed.pem
> --Output
> gpgsm: no issuer found in certificate
> gpgsm: basic certificate checks failed - not imported
> gpgsm: no issuer found in certificate
> gpgsm: basic certificate checks failed - not imported
> gpgsm: ksba_cert_hash failed: No value
> gpgsm: total number processed: 2
> gpgsm:           not imported: 2
> So... Why did the issuer check fail?  Do I need to import my fake CA (tried
> that).  If so, how?  Is there an option to provide a PEM to serve as the
> root CA (like Python)?  Also tried coping rootCA.pem to com-certs.pem, but
> no luck

More information about the Gnupg-users mailing list