Dear sirs and ladies
Werner Koch
wk at gnupg.org
Thu Aug 24 11:54:13 CEST 2023
On Thu, 24 Aug 2023 06:07, Stuart Longland said:
> No, you need `openssl` for that.
Actually you can do that as well with GnuPG.
gpgsm --gen-key
creates either a CSR or a self-signed cert. You can build a CA with it.
This requires a parameter file. For example create a file
wiki.example.org.parm:
--8<---------------cut here---------------start------------->8---
Key-Type: RSA
Key-Length: 2048
Key-Usage: sign, encrypt
Name-DN: CN=wiki,O=example,C=org
Name-DNS: wiki.example.org
Serial: random
Issuer-DN: CN=MY-ROOT-CA,O=example,C=DE
Signing-Key: 184977136DA4D5C90C202F22E3812012ABCD7174
--8<---------------cut here---------------end--------------->8---
The signing key is the keygrip of the ROOT-CA.
Now run
gpgsm --gen-key --batch -a -o wiki.example.org.pem wiki.example.org.parm
(usually you won't use a passphrase) and then run
gpgsm --import wiki.example.org.pem
To export the private key you may use
gpgsm --export-secret-key-raw -a wiki.example.org > wiki.example.org-key.pem
All from memory - I should write a proper HOWTO. We use this for all
internal certificates here in the company with the ROOT-CA's key stored
on a smartcard.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230824/ec506f4c/attachment.sig>
More information about the Gnupg-users
mailing list