> The maximal size for the certificate to be stored on the token is indicated > by the "mcl3" value (so, 2048 bytes in this example). Your DER-encoded > certificate should not be bigger than that.
$ gpg-connect-agent 'SCD GETATTR EXTCAP' /bye | grep -Po 'mcl3=\d+'
mcl3=1216
My certificate is slightly larger:
$ gpgsm --export '&22BD35[...]6F89B' | wc --bytes
1432
> As far as I know there is no command in the gpg card editor to erase the
> certificate, but I *think* using the writecert command with /dev/null as
> input should do the trick (I have not tested).
Unfortunately I was not successful using /dev/null:
gpg/card> writecert 3 < /dev/null
gpg: error writing certificate to card: Invalid argument
> Scute can fetch the certificate both from the
> token itself, or from the gpgsm store. But it will try first to fetch it
> from the token.
To test my configuration I temporarily disabled the call to
scute_agent_get_cert():
diff --git a/src/gpgsm.c b/src/gpgsm.c
index 2a2906f..5c2674a 100644
--- a/src/gpgsm.c
+++ b/src/gpgsm.c
@@ -124,7 +124,7 @@ scute_gpgsm_get_cert (char *grip, int no, cert_get_cb_t
cert_get_cb, void *hook)
/* If the key is from the card, we might get the certificate from
the card as well. */
- if (no >= 0)
+ if (false && no >= 0)
{
struct cert cert;
The Certificate Manager now shows an entry under 'Your Certificates'.
I was able to login via Client Auth using my Yubikey.
Amazing :-)
Thank you very much for your continuous help!
I'll try to find a way to erase the certificate from the Yubikey.
Fabian
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
