Re: Issuing non self-signed certificate without having the private key in gpgsm keyring
Le 2018-02-28 15:35, Werner Koch a écrit : On Fri, 23 Feb 2018 19:21, j...@netbsd.org said: ATM (with gpgsm (GnuPG) 2.2.4) , due to [1], gpgsm cannot sign certificate for which a public key has been imported but without an associated private key to it (disregarding the self-signing What you here is to create CSR (Certifciate Signing Request) for a new certificate. This involves a signature done with the private key for the public key in that CSR. gpgsm: line 1: error getting key by keygrip 'D3513A1E...48E0BDB6D35': No such file or directory gpgsm: error creating certificate request: No such file or directory You simply don't have that key. What you enter there is the key grip For example: [snip] If you enter the value in the last line at the prompt, the very same key would be used for a new certificate. Hi Werner, Thanks for taking the time to answer. Would it make sense to relax the test in [1] and allow certificate creation when we are not issuing a self-sign cert? That would violate the standard for creating a CSR. Indeed. But that is not what I am asking. I am actually attempting to have the CSR <> certificate issuance done in two different steps. In some PKI setups, the CSR gets signed by the requesting entity and sent over to the CA. The CA then performs all kind of checks, including signature (through the pub provided in the CSR), then CA issues a certificate signed with its own private key which is then sent back to the requesting entity. ATM --gen-key can issue CSR and issue self-signing certificates, but in addition it can generate non self-signed cert in batch mode when "Key-Grip" and "Signing-Key" are different (Key-Grip corresponding to the entity, whereas Signing-Key is the key-grip of the CA). However the check performed in [1] does not offer this possibility trivially because it will check the presence of the "Key-Grip" entity private key, which is technically not needed there and may be absent. The CSR can have been generated elsewhere, and only the entity public key has been imported inside keyring (via a PEM file for example). Thanks, -- Jean-Yves Migeon ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm as a CA
> Hi, all. > > Is there any support for using gpgsm as a certificate authority? Hi, FWIW I have put up a guide recently on how I achieved this with gpgsm + an OpenPGP card for private key handling. You can drop the card thing if you don't intend using and keep the private key instead. https://github.com/jymigeon/gpgsm-as-ca It is still a bit rough, I expect to expand it a bit in a few days. All certificates I issue through this method work with the openssl stacks we have around, so it is working from my PoV. Did not investigate how to handle the CRL part though, and the X.509 extensions need a bit more work to be user-friendly, but you can safely figure this out via openssl asn1parse. -- Jean-Yves Migeon ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Issuing non self-signed certificate without having the private key in gpgsm keyring
Hi everyone, (please CC on reply, as I am not yet subscribed) I am currently using gpgsm as somekind of PKI CA. It allows me to keep the CA private key stored on a smartcard, and create/sign different X.509 end-entity certs through the --gen-key --batch mode. ATM (with gpgsm (GnuPG) 2.2.4) , due to [1], gpgsm cannot sign certificate for which a public key has been imported but without an associated private key to it (disregarding the self-signing situation): [--gen-key --batch] gpgsm: line 1: error getting key by keygrip 'D3513A1E...48E0BDB6D35': No such file or directory gpgsm: error creating certificate request: No such file or directory unable to load certificate Typical X.509 PKI setups do not require the CA to have access to the entity private key for issuing a corresponding X.509 certificate. I still manage to fake that around by creating a corresponding private key file with the correct keygrip under private-keys-v1.d/ , but this is at best a really dirty hack. Would it make sense to relax the test in [1] and allow certificate creation when we are not issuing a self-sign cert? Thanks, [1] https://github.com/gpg/gnupg/blob/master/sm/certreqgen.c#L712 -- Jean-Yves Migeon ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
