Re: Issuing non self-signed certificate without having the private key in gpgsm keyring

Wed, 28 Feb 2018 12:16:45 -0800 

Le 2018-02-28 15:35, Werner Koch a écrit :

On Fri, 23 Feb 2018 19:21, j...@netbsd.org said:


ATM (with gpgsm (GnuPG) 2.2.4) , due to [1], gpgsm cannot sign
certificate for which a public key has been imported but without an
associated private key to it (disregarding the self-signing


What you here is to create CSR (Certifciate Signing Request) for a new
certificate.  This involves a signature done with the private key for
the public key in that CSR.


gpgsm: line 1: error getting key by keygrip 'D3513A1E...48E0BDB6D35':
No such file or directory
gpgsm: error creating certificate request: No such file or directory


You simply don't have that key.  What you enter there is the key grip
For example:

[snip]
If you enter the value in the last line at the prompt, the very same key 
would be used for a new certificate.


Hi Werner,

Thanks for taking the time to answer.


Would it make sense to relax the test in [1] and allow certificate
creation when we are not issuing a self-sign cert?


That would violate the standard for creating a CSR.


Indeed. But that is not what I am asking.
I am actually attempting to have the CSR <> certificate issuance done in two different steps.
In some PKI setups, the CSR gets signed by the requesting entity and sent over to the CA. The CA then performs all kind of checks, including signature (through the pub provided in the CSR), then CA issues a certificate signed with its own private key which is then sent back to the requesting entity.
ATM --gen-key can issue CSR and issue self-signing certificates, but in addition it can generate non self-signed cert in batch mode when "Key-Grip" and "Signing-Key" are different (Key-Grip corresponding to the entity, whereas Signing-Key is the key-grip of the CA).
However the check performed in [1] does not offer this possibility trivially because it will check the presence of the "Key-Grip" entity private key, which is technically not needed there and may be absent. The CSR can have been generated elsewhere, and only the entity public key has been imported inside keyring (via a PEM file for example). 

Thanks,

--
Jean-Yves Migeon

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to