Issuing non self-signed certificate without having the private key in gpgsm keyring
Werner Koch
wk at gnupg.org
Wed Feb 28 15:35:28 CET 2018
On Fri, 23 Feb 2018 19:21, jym at NetBSD.org said:
> ATM (with gpgsm (GnuPG) 2.2.4) , due to [1], gpgsm cannot sign
> certificate for which a public key has been imported but without an
> associated private key to it (disregarding the self-signing
What you here is to create CSR (Certifciate Signing Request) for a new
certificate. This involves a signature done with the private key for
the public key in that CSR.
> gpgsm: line 1: error getting key by keygrip 'D3513A1E...48E0BDB6D35':
> No such file or directory
> gpgsm: error creating certificate request: No such file or directory
You simply don't have that key. What you enter there is the key grip
For example:
$ gpgsm --with-keygrip -K 0x05B0DC50
ID: 0x05B0DC50
S/N: 2A821ECCEBFE1AFF
Issuer: /CN=The STEED Self-Signing Nonthority
Subject: /CN=John Steed
aka: steed at itv.example.org.uk
validity: 2011-12-06 20:30:46 through 2063-04-05 17:00:00
key type: 1024 bit RSA
fingerprint: EC:6E:9C:33:24:6A:6F:04:FC:98:89:9A:5A:25:73:9E:05:B0:DC:50
keygrip: 254C073ED986EE4EA5F8059A753DAC1FFD245999
If you enter the value in the last line at the prompt, the very same key
would be used for a new certificate.
> Would it make sense to relax the test in [1] and allow certificate
> creation when we are not issuing a self-sign cert?
That would violate the standard for creating a CSR.
Shalom-Salam,
Werner
--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180228/d46ad02c/attachment.sig>
More information about the Gnupg-users
mailing list