Is it possible to certify (sign) a key using a subkey?

Daniel Kahn Gillmor dkg at
Fri Aug 18 05:25:26 CEST 2017

On Thu 2017-08-17 19:47:16 -0500, Mario Castelán Castro wrote:
> I have chosen RSA as a “known good” algorithm for the primary key
> because if I chose a different curve or algorithm for elliptic key once
> I have the required knowledge to make an informed decision it will be
> more convenient to change only a subkey than to generate a new primary
> key. For example, I can keep the signatures (certifications) that I
> accumulate during that time on my key, supposing I have the opportunity
> to go to a signing party.

I still don't think this is a good justification, fwiw.  If you think
you'll be making these certifications for other people to consume,
please do those other people a favor and just use your primary key.
The OpenPGP world has a habit of trying to make things too fancy.  Keep
it simple!

> Also, using a subkey for signing still has a size advantage. If you
> have, say, 5 keys signed by my ECC subkey. there will be less size

Where are you trying to save these bytes?

> Anyway, my question still stands: How can I enable the certificate
> capability on a subkey with GPG?

I don't know of a way to change usage flags on an existing subkey with
GnuPG without modifying the source.

You can add a new subkey with your chosen usage flags in --expert mode,
though.  But i don't recommend it.


More information about the Gnupg-users mailing list