gpgsm as a CA

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

gpgsm as a CA

Andrew Gallagher
Hi, all.

Is there any support for using gpgsm as a certificate authority?

--
Andrew Gallagher


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (879 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpgsm as a CA

Werner Koch
On Wed, 28 Feb 2018 18:57, [hidden email] said:

> Is there any support for using gpgsm as a certificate authority?

There is some basic support to create certificates:

   The format of the parameter file is described in the manual under
   "Unattended Usage".

   [...]

   This parameter file was used to create the STEED CA:
     Key-Type: RSA
     Key-Length: 1024
     Key-Grip: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
     Key-Usage: cert
     Serial: 1
     Name-DN: CN=The STEED Self-Signing Nonthority
     Not-Before: 2011-11-11
     Not-After: 2106-02-06
     Subject-Key-Id: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
     Extension: 2.5.29.19 c 30060101ff020101
     Extension: 1.3.6.1.4.1.11591.2.2.2 n 0101ff
     Signing-Key: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
     %commit

Here a Root CA certificate is created.  However, the Signing-Key
parameter is a generic feature and thus it can also be used to let this
CA sign another key.  What's missing in gpgsm are a parser for the CSR
and code to filter the values of a CSR into a new certificate.  The
parser can be quite easily added the other stuff needs some thinking.


Salam-Shalom,

   Werner

--
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpgsm as a CA

Jean-Yves Migeon
In reply to this post by Andrew Gallagher
> Hi, all.
>
> Is there any support for using gpgsm as a certificate authority?

Hi,

FWIW I have put up a guide recently on how I achieved this with gpgsm +
an OpenPGP card for private key handling. You can drop the card thing if
you don't intend using and keep the private key instead.

https://github.com/jymigeon/gpgsm-as-ca

It is still a bit rough, I expect to expand it a bit in a few days.

All certificates I issue through this method work with the openssl
stacks we have around, so it is working from my PoV.

Did not investigate how to handle the CRL part though, and the X.509
extensions need a bit more work to be user-friendly, but you can safely
figure this out via openssl asn1parse.

--
Jean-Yves Migeon


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users