converting gpg files into PEM and certification change confusion

Werner Koch wk at gnupg.org
Tue Oct 2 17:00:24 CEST 2018


On Tue,  2 Oct 2018 10:43, aheinecke at intevation.de said:
> Any hints / documentation on how to achive this?

That is easy if you have the keygrip (gpg --with-keygrip -K)

--8<---------------cut here---------------start------------->8---
$ gpgsm --gen-key
gpgsm (GnuPG) 2.3.0-beta459; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
Please select what kind of key you want:
   (1) RSA
   (2) Existing key
   (3) Existing key from card
Your selection? 2
Enter the keygrip: 69DE053632BD10D51A34C23B9D45A3655F9E0A6B
Possible actions for a RSA key:
   (1) sign, encrypt
   (2) sign
   (3) encrypt
Your selection? 1
Enter the X.509 subject name: CN=test
Enter email addresses (end with an empty line):
> test at example.net
> 
Enter DNS names (optional; end with an empty line):
> 
Enter URIs (optional; end with an empty line):
> 
Create self-signed certificate? (y/N) y
These parameters are used:
    Key-Type: RSA
    Key-Length: 1024
    Key-Grip: 69DE053632BD10D51A34C23B9D45A3655F9E0A6B
    Key-Usage: sign, encrypt
    Serial: random
    Name-DN: CN=test
    Name-Email: test at example.net

Proceed with creation? (y/N) y
Now creating self-signed certificate.  This may take a while ...
gpgsm: about to sign the certificate for key: &69DE053632BD10D51A34C23B9D45A3655F9E0A6B
gpgsm: certificate created
Ready.
-----BEGIN CERTIFICATE-----
MIIB8DCCAVmgAwIBAgIIf9VW1oAzgtcwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE
AxMEdGVzdDAgFw0xODEwMDIxNDUzMDVaGA8yMDYzMDQwNTE3MDAwMFowDzENMAsG
A1UEAxMEdGVzdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwoOWEbhVS69l
[...]
--8<---------------cut here---------------end--------------->8---

or to create anpother OpenPGP key from an existing (gpg) key:

--8<---------------cut here---------------start------------->8---
$ gpg --expert --full-gen-key
gpg: WARNING: unsafe permissions on homedir '/home/wk/b/gnupg/test-kbxd'
gpg (GnuPG) 2.3.0-beta459; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
Your selection? 13
Enter the keygrip: 69DE053632BD10D51A34C23B9D45A3655F9E0A6B

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Sign Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: 
Email address: test2 at example.net
Comment: 
You selected this USER-ID:
    "test2 at example.net"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: key D2B554FFDE4135B7 marked as ultimately trusted
gpg: revocation certificate stored as '/home/wk/b/gnupg/test-kbxd/openpgp-revocs.d/FC7123F7C24BF9929836F44ED2B554FFDE4135B7.rev'
public and secret key created and signed.

pub   rsa1024 2018-10-02 [SCE]
      FC7123F7C24BF9929836F44ED2B554FFDE4135B7
uid                      test2 at example.net
--8<---------------cut here---------------end--------------->8---

Works also with stock 2.2 versions,


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181002/f3692427/attachment.sig>


More information about the Gnupg-users mailing list