gpgsm documentation (2nd attempt)
Werner Koch
wk at gnupg.org
Tue Nov 25 11:18:10 CET 2025
On Tue, 25 Nov 2025 01:04, Borden said:
> Is gpgsm supposed to be openssl compatible? I spent a week trying to
gpgsm is an application implementing X.509 key management and CMS
encryption, decryption, signing, and verification. openssl ist mostly a
library with a couple of tools tomake use of the core functions.
Here is an example on how to create a self-signed certificate from an
already existing (OpenPGP) key:
List the OpenPGP key
$ gpg -k --with-keygrip biko
pub rsa2048 2016-06-22 [SC]
5B83120DB1E3A65AE5A8DCF6AA43F1DCC7FED1B7
Keygrip = C6A6390E9388CDBAD71EAEA698233FE5E04F001E
uid [ unknown] steve.biko at example.net
sub rsa2048 2016-06-22 [E]
4CB4D8C018C57E60EB3847901D777619BE310D79
Keygrip = D69102E0F5AC6B6DB8E4D16DA8E18CF46D88CAE3
Generate a self-signed certificate (or a CSR):
$ gpgsm --gen-key
Please select what kind of key you want:
(1) RSA
(2) Existing key
(3) Existing key from card
Your selection? 2
Enter the keygrip: C6A6390E9388CDBAD71EAEA698233FE5E04F001E
Possible actions for a RSA key:
(1) sign, encrypt
(2) sign
(3) encrypt
Your selection? 1
Enter the X.509 subject name: CN=Steven Biko
Enter email addresses (end with an empty line):
> biko at example.org
>
Enter DNS names (optional; end with an empty line):
>
Enter URIs (optional; end with an empty line):
>
Enter extensions (optional; end with an empty line):
>
Create self-signed certificate? (y/N) y
These parameters are used:
Key-Type: RSA
Key-Length: 1024
Key-Grip: C6A6390E9388CDBAD71EAEA698233FE5E04F001E
Key-Usage: sign, encrypt
Serial: random
Name-DN: CN=Steven Biko
Name-Email: biko at example.org
Proceed with creation? (y/N) y
Now creating self-signed certificate. This may take a while ...
gpgsm: about to sign the certificate for key: &C6A6390E9388CDBAD71EAEA698233FE5E04F001E
gpgsm: certificate created
Ready.
-----BEGIN CERTIFICATE-----
MIIDAzCCAeugAwIBAgIIL0uIYT/abSkwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UE
AxMLU3RldmVuIEJpa28wIBcNMjUxMTI1MDk1MjQzWhgPMjA2MzA0MDUxNzAwMDBa
[...]
You can also use a CA certificate to sign the new certificate instead of
creating a self-signed one. Here are some notes on how we create
intenal certificates:
1. Create or copy a config file with the name DOMAIN.param.
2. Change the items "Name-DN" und "Name-DNS" accordingly.
3. Create a keypair
gpgsm --batch --gen-key DOAMIN.param > DOMAIN.crt
4. Import keypair:
gpgsm --import DOMAIN.crt
5. Export certificate:
gpgsm -a --export DOMAIN > DOMAIN.pem
6. Export private key:
gpgsm -a --export-secret-key-raw DOMAIN > DOMAIN.key
7. Optionally export certificate and private key:
gpgsm -a --export-secret-key-p12 DOMAIN > DOMAIN.p12
Take care: The private key and the certificate are still stored in the
local GnuPG installation.
Here is a sample DOMAIN.parm file:
--8<---------------cut here---------------start------------->8---
Key-Type: RSA
Key-Length: 2048
Key-Usage: sign, encrypt
Name-DN: CN=wiki,O=example,C=de
Name-DNS: wiki.example.de
Serial: random
Issuer-DN: CN=My Root-CA 2025,O=Example GmbH,C=DE
Signing-Key: 184977136DA4D5C90C202F22E3812012ABCD7174
--8<---------------cut here---------------end--------------->8---
The signing key is the keygrip of the CA certificate. We are using a
smartcard here of course. For mail certificates you need to use other
parameters; see the GnuPG manula (PDF or Info), section 5.5.2.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251125/d8e1419d/attachment.sig>
More information about the Gnupg-users
mailing list