Issuing non self-signed certificate without having the private key in gpgsm keyring

Jean-Yves Migeon jym at
Wed Feb 28 18:05:05 CET 2018

Le 2018-02-28 15:35, Werner Koch a écrit :
> On Fri, 23 Feb 2018 19:21, jym at said:
>> ATM (with gpgsm (GnuPG) 2.2.4) , due to [1], gpgsm cannot sign
>> certificate for which a public key has been imported but without an
>> associated private key to it (disregarding the self-signing
> What you here is to create CSR (Certifciate Signing Request) for a new
> certificate.  This involves a signature done with the private key for
> the public key in that CSR.
>> gpgsm: line 1: error getting key by keygrip 'D3513A1E...48E0BDB6D35':
>> No such file or directory
>> gpgsm: error creating certificate request: No such file or directory
> You simply don't have that key.  What you enter there is the key grip
> For example:
> [snip]
> If you enter the value in the last line at the prompt, the very same 
> key
> would be used for a new certificate.

Hi Werner,

Thanks for taking the time to answer.

>> Would it make sense to relax the test in [1] and allow certificate
>> creation when we are not issuing a self-sign cert?
> That would violate the standard for creating a CSR.

Indeed. But that is not what I am asking.

I am actually attempting to have the CSR <> certificate issuance done in 
two different steps.

In some PKI setups, the CSR gets signed by the requesting entity and 
sent over to the CA. The CA then performs all kind of checks, including 
signature (through the pub provided in the CSR), then CA issues a 
certificate signed with its own private key which is then sent back to 
the requesting entity.

ATM --gen-key can issue CSR and issue self-signing certificates, but in 
addition it can generate non self-signed cert in batch mode when 
"Key-Grip" and "Signing-Key" are different (Key-Grip corresponding to 
the entity, whereas Signing-Key is the key-grip of the CA).

However the check performed in [1] does not offer this possibility 
trivially because it will check the presence of the "Key-Grip" entity 
private key, which is technically not needed there and may be absent. 
The CSR can have been generated elsewhere, and only the entity public 
key has been imported inside keyring (via a PEM file for example).


Jean-Yves Migeon

More information about the Gnupg-users mailing list