Generating GnuPG S/MINE key pair

Dan Bryant dkbryant at
Tue Apr 28 06:28:57 CEST 2015

Getting closer... The DirMngr stuff is totally required.  Got that out
of the way (added rootCA to the right dirmgr stuff).

Now I'm scrubbing the logs and it looks like DirMgr is complaining
because I didn't timestamp any of my custom certs.  Any "--ignore_ts"
or similar option to bypass this message?
     dirmngr[7276] command 'VALIDATE' failed: No value <KSBA>

On to
although I might have to shelve this for a few days at this point.

Call / Text: 281.760.4296

On Mon, Apr 27, 2015 at 9:22 PM, Dan Bryant <dkbryant at> wrote:
> OK... I found some very old posts about this... don't know how much still holds.
>   --
> This guide says:
> 1. Convert rootCA.pem to rootCA.der
> 2. Place rootCA.der in dirmngr\trusted-certs
> 3. Ensure rootCA.der has revocation URL (??can disable??)
> 4. Add rootCA.der fingerprint to trustlist.txt
> 5. Restart dirmngr service and gpg-agent
> Don't know... you think that will work?
> BTW.. Here's the versions of the previously mentioned utilities:
> - OpenSSL 1.0.2a 19 Mar 2015
> - gpg-protect-tool (GnuPG) 2.0.27 (Gpg4win 2.2.4)
> - gpgsm (GnuPG) 2.1.3
> On Mon, Apr 27, 2015 at 3:07 PM, Dan Bryant <dkbryant at> wrote:
>> TL;DR: gpgsm import fails with "no issuer found in certificate"
>> I'm trying to generate a key-pair for GnuPG S/MINE strictly for
>> instructional reasons.  I'll concede that I'm using a weak CA, but I'm
>> trying to image how the CA maintainers do this task as well.  So, for my
>> instruction, I'm trying to do the following:
>> I started off just wanting to create a GnuPG S/MINE key-pair.  I soon found
>> out that gpgsm requires key-pars to be externally signed by a CA.  So now
>> I'm trying to do the whole process, make-key, sign-key, import-key
>>   1. Create a CA with a new RSA key-pair (openSSL)
>>   2. Generate a new GnuPG S/MINE key-pair (gpgsm)
>>   3. Sign the GnuPG S/MINE key-pair with my fictitious CA above (openssl)
>>   4. Import the now signed GnuPG S/MINE key-pair into my gpgsm key-ring.
>> So I theory I thought this should work, but I've botched it somewhere along
>> the way.  Again... this is for INSTRUCTIONAL purposes.  I realize a self
>> signed CA is about as secure as a post-it on a monitor.  Trying to learn...
>> Here's what I tried (for those unfamiliar with Windows, the '^' is a line
>> continuation).
>> -- gpgsm
>> openssl genrsa -out rootCA.key 2048
>> openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
>> gpgsm --gen-key > unsigned.pem
>> gpg-protect-tool --p12-export ^
>>    %appdata%\gnupg\private-keys-v1.d\{keygrip_from_prev_gen_key_cmd}.key ^
>>    > kgfpgkc.p12
>> openssl pkcs12 -in kgfpgkc.p12 -nocerts -out kgfpgkc.pem
>> openssl x509 -x509toreq -signkey kgfpgkc.pem ^
>>    -in unsigned.pem -out unsigned.csr
>> openssl x509 -req -CA rootCA.pem -CAkey rootCA.key -CAcreateserial ^
>>     -in unsigned.csr -out signed.pem -days 500
>> gpgsm --import signed.pem
>> --Output
>> gpgsm: no issuer found in certificate
>> gpgsm: basic certificate checks failed - not imported
>> gpgsm: no issuer found in certificate
>> gpgsm: basic certificate checks failed - not imported
>> gpgsm: ksba_cert_hash failed: No value
>> gpgsm: total number processed: 2
>> gpgsm:           not imported: 2
>> So... Why did the issuer check fail?  Do I need to import my fake CA (tried
>> that).  If so, how?  Is there an option to provide a PEM to serve as the
>> root CA (like Python)?  Also tried coping rootCA.pem to com-certs.pem, but
>> no luck

More information about the Gnupg-users mailing list