On Thu, 24 Aug 2023 06:07, Stuart Longland said: > No, you need `openssl` for that.
Actually you can do that as well with GnuPG. gpgsm --gen-key creates either a CSR or a self-signed cert. You can build a CA with it. This requires a parameter file. For example create a file wiki.example.org.parm: --8<---------------cut here---------------start------------->8--- Key-Type: RSA Key-Length: 2048 Key-Usage: sign, encrypt Name-DN: CN=wiki,O=example,C=org Name-DNS: wiki.example.org Serial: random Issuer-DN: CN=MY-ROOT-CA,O=example,C=DE Signing-Key: 184977136DA4D5C90C202F22E3812012ABCD7174 --8<---------------cut here---------------end--------------->8--- The signing key is the keygrip of the ROOT-CA. Now run gpgsm --gen-key --batch -a -o wiki.example.org.pem wiki.example.org.parm (usually you won't use a passphrase) and then run gpgsm --import wiki.example.org.pem To export the private key you may use gpgsm --export-secret-key-raw -a wiki.example.org > wiki.example.org-key.pem All from memory - I should write a proper HOWTO. We use this for all internal certificates here in the company with the ROOT-CA's key stored on a smartcard. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
