On 4/10/24 10:20, NIIBE Yutaka wrote:
Terminada wrote:
It appears that gpgsm supports creating a self signed CA but maybe only
for RSA keys?
I don't know for X.509 CA use cases. Could you please ask gnupg-devel?
Yes, it seems that the failure relates to unimplemented functionality in
gpg-agent / gpgsm, rather than Gnuk.
I'll sign up to gnupg-devel and ask.
For X.509 Ed25519 support, it would not be tested well or it's buggy,
and the UI is not that good. Although I don't know if it's related, for
X.509 EdDSA certificates, I can find this commit:
https://dev.gnupg.org/rG6dc3846d78192e393be73c16c72750734a9174d1
That link gave me hope so I installed the lastest development version of
gnupg and all dependencies and re-tried using the same parameter file
demonstrated in the commit that you linked (but with my keygrip).
Unfortunately gpgsm wouldn't work and I got a message saying "Signing
failed: Not implemented".
It seems strange to me that more people don't want to use ed25519 keys
protected by a smartcard as the basis for their self-signed CA. The
ed25519 keys have become much more commonly used and they seem better
suited for use on devices with limited resources like a smartcard.
Do you know if there is a way I can work around the gpgsm inadequacy?
Is there some way that I can do part of the self signed CA creation with
openssl and then sign using gpg-agent talking to Gnuk? For example, I
believe it might be possible to use the ssh key equivalent of the gpg
private key in openssl to create the self signed CA. However, I will
still need to sign user CSRs after the private key is residing on my
Gnuk token, which doesn't seem possible?
_______________________________________________
Gnuk-users mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnuk-users
