On 09/24/2013 03:36 AM, Jörg Deckert wrote: >> You are right. Sorry, there is no standard solution for this. It >> depends on how a CA handles encryption keys. Set up your own CA and you >> do not need a CSR. > > I have my own CA (XCA / openssl). I think I have 2 options: > - transfer the key from gnupg to openssl before I move it to card > - transfer the key from openssl to gnupg and move it to the card > But I don't know how can I do this. Any hints?
i don't know how to do this with OpenSSL (afaict, the "openssl ca"
command does need an CSR to produce a cert).
But if you have access to the secret key for the CA, and you have the
raw public key of the would-be end-entity, you can produce a cert using
certtool (from the gnutls-bin package):
certtool --load-ca-privkey=ca-secret.key \
--load-ca-certificate=ca-cert.pem \
--load-pubkey="ee-pubkey.pem" \
--generate-certificate
hth,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
