Again: Writing DER certificates to ZeitControl Cards

Damien Goutte-Gattat dgouttegattat at
Mon Apr 2 14:43:52 CEST 2018

On 04/02/2018 01:10 AM, NIIBE Yutaka wrote:
> Most likely, the length of certificate matters.  If you can minimize
> your certificate, please try.  I don't know the limitation for the card.

I don't know for the v3.3 card, but v2.1 cards allow for a 2048 bytes 
certificate (at least mine does, but maybe this has changed between 
different production runs?).

One way of finding the max allowed size is the following command (here 
tested with a Yubikey NEO):

$ gpg-connect-agent 'SCD LEARN --force' /bye | grep '^S EXTCAP'
S EXTCAP gc=1+ki=1+fc=1+pd=0+mcl3=1216+aac=0+sm=2+si=0+dec=0+bt=0

The value you are interested in is "mcl3". In this example, it says that 
the Yubikey NEO allows for a 1216-bytes certificate.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list