On 06/05/2017 07:54 PM, Fabian Peter Hammerle wrote:
Ah, I didn't know I had to write the certificate onto the Yubikey.
You do not *have* to; Scute can fetch the certificate both from the token itself, or from the gpgsm store. But it will try first to fetch it from the token.
Storing the certificate on the token itself instead on relying on the gpgsm store allows you to use your token on a machine that is not your usual machine.
Could you extract the certificate from the smartcard and have a look at it? $ gpg --card-edit gpg/card> readcert 3 > file.der gpg/card> quit$ od -x file.der0000000 217f 0082 ffff ffff ffff ffff ffff ffff 0000020 ffff ffff ffff ffff ffff ffff ffff ffff * 0000400 ffff 00ff 0000403
I don't pretend to be a X.509 or ASN1 expert (far from it!), but this does not look like a X.509 certificate at all.
gpg: error writing certificate to card: Provided object is too large Do I have to choose a smaller key size?
Check the maximal size supported by the Yubikey: $ gpg-connect-agent 'SCD GETATTR EXTCAP' /bye The output should be a line like the following: S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=0The maximal size for the certificate to be stored on the token is indicated by the "mcl3" value (so, 2048 bytes in this example). Your DER-encoded certificate should not be bigger than that.
But if it happens that your Yubikey does not support 4096-bit certificates, and you still want such a certificate, then you could simply erase the (corrupted) certificate on the Yubikey. As I said above, Scute will fetch the certificate from the gpgsm store if it cannot find it on the token.
As far as I know there is no command in the gpg card editor to erase the certificate, but I *think* using the writecert command with /dev/null as input should do the trick (I have not tested).
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
