Issuing non self-signed certificate without having the private key in gpgsm keyring

Jean-Yves Migeon jym at
Fri Feb 23 19:21:49 CET 2018

Hi everyone,

(please CC on reply, as I am not yet subscribed)

I am currently using gpgsm as somekind of PKI CA. It allows me to keep 
the CA private key stored on a smartcard, and create/sign different 
X.509 end-entity certs through the --gen-key --batch mode.

ATM (with gpgsm (GnuPG) 2.2.4) , due to [1], gpgsm cannot sign 
certificate for which a public key has been imported but without an 
associated private key to it (disregarding the self-signing situation):

[--gen-key --batch]
gpgsm: line 1: error getting key by keygrip 'D3513A1E...48E0BDB6D35': No 
such file or directory
gpgsm: error creating certificate request: No such file or directory 
<GPG Agent>
unable to load certificate

Typical X.509 PKI setups do not require the CA to have access to the 
entity private key for issuing a corresponding X.509 certificate. I 
still manage to fake that around by creating a corresponding private key 
file with the correct keygrip under private-keys-v1.d/ , but this is at 
best a really dirty hack.

Would it make sense to relax the test in [1] and allow certificate 
creation when we are not issuing a self-sign cert?



Jean-Yves Migeon

More information about the Gnupg-users mailing list