Certificate Management - Using the GNU Privacy Guard

Previous: Operational GPGSM Commands, Up: GPGSM Commands

4.1.3 How to manage the certificates and keys

--gen-key: This command allows the interactive creation of a certifcate signing request. It is commonly used along with the --output option to save the created CSR into a file.
--list-keys
-k: List all available certificates stored in the local key database. Note that the displayed data might be reformatted for better human readability and illegal characters are replaced by safe substitutes.
--list-secret-keys
-K: List all available certificates for which a corresponding a secret key is available.
--list-external-keys pattern: List certificates matching pattern using an external server. This utilizes the dirmngr service.
--list-chain: Same as --list-keys but also prints all keys making up the chain.
--dump-cert
--dump-keys: List all available certificates stored in the local key database using a format useful mainly for debugging.
--dump-chain: Same as --dump-keys but also prints all keys making up the chain.
--dump-secret-keys: List all available certificates for which a corresponding a secret key is available using a format useful mainly for debugging.
--dump-external-keys pattern: List certificates matching pattern using an external server. This utilizes the dirmngr service. It uses a format useful mainly for debugging.
--keydb-clear-some-cert-flags: This is a debugging aid to reset certain flags in the key database which are used to cache certain certificate stati. It is especially useful if a bad CRL or a weird running OCSP reponder did accidently revoke certificate. There is no security issue with this command because gpgsm always make sure that the validity of a certificate is checked right before it is used.
--delete-keys pattern: Delete the keys matching pattern. Note that there is no command to delete the secret part of the key directly. In case you need to do this, you should run the command gpgsm --dump-secret-keys KEYID before you delete the key, copy the string of hex-digits in the “keygrip” line and delete the file consisting of these hex-digits and the suffix .key from the private-keys-v1.d directory below our GnuPG home directory (usually ~/.gnupg).
--export [pattern]: Export all certificates stored in the Keybox or those specified by the optional pattern. Those pattern consist of a list of user ids (see how-to-specify-a-user-id). When used along with the --armor option a few informational lines are prepended before each block. There is one limitation: As there is no commonly agreed upon way to pack more than one certificate into an ASN.1 structure, the binary export (i.e. without using armor) works only for the export of one certificate. Thus it is required to specify a pattern which yields exactly one certificate.
--export-secret-key-p12 key-id: Export the private key and the certificate identified by key-id in a PKCS#12 format. When using along with the --armor option a few informational lines are prepended to the output. Note, that the PKCS#12 format is not very secure and this command is only provided if there is no other way to exchange the private key. (see option –p12-charset)
--import [files]: Import the certificates from the PEM or binary encoded files as well as from signed-only messages. This command may also be used to import a secret key from a PKCS#12 file.
--learn-card: Read information about the private keys from the smartcard and import the certificates from there. This command utilizes the gpg-agent and in turn the scdaemon.
--passwd user_id: Change the passphrase of the private key belonging to the certificate specified as user_id. Note, that changing the passphrase/PIN of a smartcard is not yet supported.