Re: gpgsm as a CA
On Wed, 28 Feb 2018 18:57, andr...@andrewg.com said: > Is there any support for using gpgsm as a certificate authority? There is some basic support to create certificates: The format of the parameter file is described in the manual under "Unattended Usage". [...] This parameter file was used to create the STEED CA: Key-Type: RSA Key-Length: 1024 Key-Grip: 68A638998DFABAC510EA645CE34F9686B2EDF7EA Key-Usage: cert Serial: 1 Name-DN: CN=The STEED Self-Signing Nonthority Not-Before: 2011-11-11 Not-After: 2106-02-06 Subject-Key-Id: 68A638998DFABAC510EA645CE34F9686B2EDF7EA Extension: 2.5.29.19 c 30060101ff020101 Extension: 1.3.6.1.4.1.11591.2.2.2 n 0101ff Signing-Key: 68A638998DFABAC510EA645CE34F9686B2EDF7EA %commit Here a Root CA certificate is created. However, the Signing-Key parameter is a generic feature and thus it can also be used to let this CA sign another key. What's missing in gpgsm are a parser for the CSR and code to filter the values of a CSR into a new certificate. The parser can be quite easily added the other stuff needs some thinking. Salam-Shalom, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpAESnHaFLLb.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm as a CA
> Hi, all. > > Is there any support for using gpgsm as a certificate authority? Hi, FWIW I have put up a guide recently on how I achieved this with gpgsm + an OpenPGP card for private key handling. You can drop the card thing if you don't intend using and keep the private key instead. https://github.com/jymigeon/gpgsm-as-ca It is still a bit rough, I expect to expand it a bit in a few days. All certificates I issue through this method work with the openssl stacks we have around, so it is working from my PoV. Did not investigate how to handle the CRL part though, and the X.509 extensions need a bit more work to be user-friendly, but you can safely figure this out via openssl asn1parse. -- Jean-Yves Migeon ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm as a CA
Hi, all. Is there any support for using gpgsm as a certificate authority? -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users