Generating GnuPG S/MINE key pair

Werner Koch wk at
Tue Apr 28 09:26:16 CEST 2015

On Mon, 27 Apr 2015 22:07, dkbryant at said:

> gpgsm: no issuer found in certificate
> gpgsm: basic certificate checks failed - not imported

Your root certificate is not valid.  An Issuer is required and that
issuer must match the Subject.  Also certain other fields are required
for a root certificate. I suggest to use a tool like tinyca2 to create
your own CA or use one of the scripts which come with OpenSSL to setup a
CA (you need a Unix shell on Windows, though).

gpgsm 2.1 has a much improve certifciate generation.  You may create a
self-signed certificate directly:

--8<---------------cut here---------------start------------->8---
$ gpgsm --gen-key
Please select what kind of key you want:
   (1) RSA
   (2) Existing key
   (3) Existing key from card
Your selection? 1
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Possible actions for a RSA key:
   (1) sign, encrypt
   (2) sign
   (3) encrypt
Your selection? 1
Enter the X.509 subject name: CN=test cert
Enter email addresses (end with an empty line):
Enter DNS names (optional; end with an empty line):
Enter URIs (optional; end with an empty line):
Create self-signed certificate? (y/N) y
These parameters are used:
    Key-Type: RSA
    Key-Length: 2048
    Key-Usage: sign, encrypt
    Serial: random
    Name-DN: CN=test cert

Proceed with creation? (y/N) 
--8<---------------cut here---------------end--------------->8---

This works well on Windows - however the installer for 2.1.3 is a bit

  gpgsm --export-secret-key-p8 -a KEYID

may then be used to export the private key in PKCS#8 format (what Apache
etc requires.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list