X509 CSR signed with card key

Damien Goutte-Gattat dgouttegattat at incenp.org
Mon Feb 23 01:44:22 CET 2015

On 02/23/2015 12:33 AM, Dubravszky József wrote:
> Is there any way to create an X509 CSR signed with the private key stored on
> the card?

Yes, you can use the gpgsm(1) tool for that.

Make sure your card is in the card reader, then:

   $ gpgsm --armor --output mycsr.pem --gen-key

You’ll be prompted to select what kind of key you want, choose “Existing 
key from card” (make sure your card is in the reader). Then select which 
of the card keys you want to use (the signing key, the encryption key, 
or the authentication key) and the intended use of the future certificate.

At the end of the procedure, you’ll be prompted for your PIN in order to 
sign the CSR.

The documentation of Scute [1] has a complete example (it uses 
gpgsm-gencert.sh, a deprecated helper script, instead of the above 
command, but the procedure is almost the same).



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150223/8002e46d/attachment.sig>

More information about the Gnupg-users mailing list