Issuing non self-signed certificate without having the private key in gpgsm keyring
jym at NetBSD.org
Fri Feb 23 19:21:49 CET 2018
(please CC on reply, as I am not yet subscribed)
I am currently using gpgsm as somekind of PKI CA. It allows me to keep
the CA private key stored on a smartcard, and create/sign different
X.509 end-entity certs through the --gen-key --batch mode.
ATM (with gpgsm (GnuPG) 2.2.4) , due to , gpgsm cannot sign
certificate for which a public key has been imported but without an
associated private key to it (disregarding the self-signing situation):
gpgsm: line 1: error getting key by keygrip 'D3513A1E...48E0BDB6D35': No
such file or directory
gpgsm: error creating certificate request: No such file or directory
unable to load certificate
Typical X.509 PKI setups do not require the CA to have access to the
entity private key for issuing a corresponding X.509 certificate. I
still manage to fake that around by creating a corresponding private key
file with the correct keygrip under private-keys-v1.d/ , but this is at
best a really dirty hack.
Would it make sense to relax the test in  and allow certificate
creation when we are not issuing a self-sign cert?
More information about the Gnupg-users