Issuing non self-signed certificate without having the private key in gpgsm keyring

Werner Koch wk at
Wed Feb 28 15:35:28 CET 2018

On Fri, 23 Feb 2018 19:21, jym at said:

> ATM (with gpgsm (GnuPG) 2.2.4) , due to [1], gpgsm cannot sign
> certificate for which a public key has been imported but without an
> associated private key to it (disregarding the self-signing

What you here is to create CSR (Certifciate Signing Request) for a new
certificate.  This involves a signature done with the private key for
the public key in that CSR.

> gpgsm: line 1: error getting key by keygrip 'D3513A1E...48E0BDB6D35':
> No such file or directory
> gpgsm: error creating certificate request: No such file or directory

You simply don't have that key.  What you enter there is the key grip
For example:

$ gpgsm --with-keygrip -K 0x05B0DC50
           ID: 0x05B0DC50
          S/N: 2A821ECCEBFE1AFF
       Issuer: /CN=The STEED Self-Signing Nonthority
      Subject: /CN=John Steed
          aka: steed at
     validity: 2011-12-06 20:30:46 through 2063-04-05 17:00:00
     key type: 1024 bit RSA
  fingerprint: EC:6E:9C:33:24:6A:6F:04:FC:98:89:9A:5A:25:73:9E:05:B0:DC:50
      keygrip: 254C073ED986EE4EA5F8059A753DAC1FFD245999

If you enter the value in the last line at the prompt, the very same key
would be used for a new certificate.

> Would it make sense to relax the test in [1] and allow certificate
> creation when we are not issuing a self-sign cert?

That would violate the standard for creating a CSR.



#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list