Usage text

Robert J. Hansen rjh at
Sat Feb 6 15:17:07 CET 2016

Proposed FAQ language -- feel free to criticize, to suggest alternate
phrasings, or anything else.  :)


Q: When I view my certificate I see letters like S, C, E, and A.  What
do they mean?

A: Your certificate contains two or more cryptographic keys.  When
attached to a certificate, we call them “subkeys”.  Different subkeys
get used for different sorts of tasks.

There are four different tasks a subkey can perform.  It can

	* Sign data, so others know it came from you
	* Certify somebody else's certificate, so others
          can see you vouching for it
	* Encrypt data to you
	* Authenticate you to a computer system

For instance, looking at my own certificate, we see:

    laptop:~ rjh$ gpg --edit-key rob at
    Secret key is available.

    sec  rsa3072/1DCBDC01B44427C7
         created: 2015-07-16  expires: never       usage: SC
         card-no: 0005 00000D18
         trust: ultimate      validity: ultimate
    ssb  rsa3072/DC0F82625FA6AADE
         created: 2015-07-16  expires: never       usage: E
         card-no: 0005 00000D18
    [ultimate] (1). Robert J. Hansen <rob at>
    [ultimate] (2)  Robert J. Hansen <rjh at>

Subkey 1DCBDC01B44427C7 can be used to sign data or certify other
people's certificates; subkey DC0F82625FA6AADE can only be used to
encrypt data.

You don't need to keep track of subkeys.  GnuPG will never ask you for a
specific subkey.  Instead, GnuPG will ask you for a certificate ID.
GnuPG will then use whichever subkey is appropriate for the task it's
performing.  If two or more subkeys are appropriate, it will use the
newer one.

Q: None of my subkeys are marked “A”.  Is this a problem?

A: No.  Using GnuPG to authenticate yourself to a computer system is an
advanced topic and only a few users will ever need it.  For that reason,
by default GnuPG does not mark subkeys as usable for authentication.

More information about the Gnupg-users mailing list