Issuing non self-signed certificate without having the private key in gpgsm keyring
jym at NetBSD.org
Wed Feb 28 18:05:05 CET 2018
Le 2018-02-28 15:35, Werner Koch a écrit :
> On Fri, 23 Feb 2018 19:21, jym at NetBSD.org said:
>> ATM (with gpgsm (GnuPG) 2.2.4) , due to , gpgsm cannot sign
>> certificate for which a public key has been imported but without an
>> associated private key to it (disregarding the self-signing
> What you here is to create CSR (Certifciate Signing Request) for a new
> certificate. This involves a signature done with the private key for
> the public key in that CSR.
>> gpgsm: line 1: error getting key by keygrip 'D3513A1E...48E0BDB6D35':
>> No such file or directory
>> gpgsm: error creating certificate request: No such file or directory
> You simply don't have that key. What you enter there is the key grip
> For example:
> If you enter the value in the last line at the prompt, the very same
> would be used for a new certificate.
Thanks for taking the time to answer.
>> Would it make sense to relax the test in  and allow certificate
>> creation when we are not issuing a self-sign cert?
> That would violate the standard for creating a CSR.
Indeed. But that is not what I am asking.
I am actually attempting to have the CSR <> certificate issuance done in
two different steps.
In some PKI setups, the CSR gets signed by the requesting entity and
sent over to the CA. The CA then performs all kind of checks, including
signature (through the pub provided in the CSR), then CA issues a
certificate signed with its own private key which is then sent back to
the requesting entity.
ATM --gen-key can issue CSR and issue self-signing certificates, but in
addition it can generate non self-signed cert in batch mode when
"Key-Grip" and "Signing-Key" are different (Key-Grip corresponding to
the entity, whereas Signing-Key is the key-grip of the CA).
However the check performed in  does not offer this possibility
trivially because it will check the presence of the "Key-Grip" entity
private key, which is technically not needed there and may be absent.
The CSR can have been generated elsewhere, and only the entity public
key has been imported inside keyring (via a PEM file for example).
More information about the Gnupg-users