On Sun, Oct 27, 2013 at 11:01 AM, Uwe Brauer <o...@mat.ucm.es> wrote: > > > If you generate a new keypair for the new certificate (which is > > probably a good idea) then gpgsm (and presumably any other > > certificate-using software) will figure out what private key will be > > needed to decrypt a particular message and, so long as you still have > > the private key on your system, will use it as needed even if the > > corresponding certificate has expired. > > So gpgsm (and others) will also figure out which private key to use for > signing: that is the new one, once the old certificate is expired? > > Which means in the case of smime, also to embedd the corresponding > new public key in the signature.
I can't speak specifically for gpgsm, as I only use GPG with OpenPGP keys and not x.509 certs, but I would venture that the answer to your question is "yes, gpgsm will select the correct private key for signing" as that's standard behavior for such software. Werner or others could answer authoritatively. -- Pete Stephenson _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users