- DigiCert product docs
- Software Trust Manager
- Keypairs
- GPG keypairs
- Create a GPG subkey
Create a GPG subkey
A GPG subkey contains the following characteristics:
An RSA, ECDSA, or EdDSA keypair
A master key signature certifying that the subkey pertains to the master key
A key that can sign; the subkey should be used to sign
You can create a subkey from Software Trust Manager or SMCTL.
In the Software Trust menu, go to Keypairs > GPG keypairs.
Select Create subkey.
Complete the following fields, and then select Create.
Field
Description
Alias
Name to uniquely identify this subkey.
Select master key
Select the corresponding master key.
Algorithm
Select RSA, ECDSA, or EdDSA. When you select EdDSA the key curve sets to Ed25519.
Anmerkung
Subkeys are often used more. As a result, ECC (ECDSA or EdDSA) is recommended because it's faster, and the resulting signatures are smaller than using RSA.
Key size/curve
Select 2048, 3072, or 4096.
Category
Select Production or Test.
Storage
Select if the keypair should be generated and stored on HSM or Disk.
Keypair status
Select Online (can be used to sign anytime) or Offline (can only be used to sign during a scheduled release).
Access
Select Open to give access to any account user. Select Restricted to limit access to specific users or members of a specific user group.
Keypair validity
Select Select an expiry date to set a specific expiry date for your keypair. The keypair will expire at the end of the selected day at midnight (UTC).
Select Never expire to keep your keypair active until you manually add an expiry date.
Allowed users
For Restricted keypairs, you can specify which users can use the keypair.
Allowed user groups
For Restricted keypairs, you can specify one or more groups that are authorized to use the keypair.
Team
This field appears when teams are enabled.
Select a team that should have access to this keypair.
To generate a GPG subkey, run:
smctl gpg keypair generate <subkey alias> --can-sign "<YES or NO>" --gpg-key-type "SUB" --key-alg “<algorithm>” --key-size < RSA key size in bits> | --curve “<ECDSA curve name>” --key-type "<TEST or PRODUCTION>" --master-gpg-keypair-id "<keypair id for gpg master key>"
Review the following sample:
smctl gpg keypair generate gpg_smctl_sub1 --can-sign "YES" --gpg-key-type "SUB" --key-alg "RSA" --key-size 3072 --key-type "TEST" --master-gpg-keypair-id "34d08346-7560-48d7-a5db-f6570e704857"
Review the output:
55200043-f586-4508-b094-c1cad4ea21b4