Skip to main content

GPG keys

GPG keys are different from other private keys because each GPG key includes a master key and associated subkeys. While there are no technical differences between a master key and subkey, the responsibilities of these keys remain separate to enhance security.

We recommend that the master key only be used for creating subkeys and the subkeys be used for signing. In the event that a subkey is compromised, this will allow you to revoke and replace the affected subkey, while the master key and uncompromised subkeys remain secure. The identity of the key is associated with the master key; therefore, if the master key is compromised, the identity of the master key and all associated subkeys are compromised and must be revoked and replaced.

Generate GPG master key

A master key can technically be used to sign without a need for a subkey. However, we recommend that you only use the master key (sometimes called “certification key”) to certify and create subkeys.

You can generate a master and subkey from our DigiCert​​®​​ Software Trust Manager UI or our command line interface SMCTL.

You require the Manage master key permission to generate a GPG master key.

To generate GPG master key using DigiCert​​®​​ Software Trust Manager:

You require the Generate keypair or Manage keypair permission to create a GPG keypair.

  1. Sign in to DigiCert ONE.

  2. Navigate to: Manager menu (top right) >DigiCert​​®​​ Software Trust Manager > Keypairs > GPG keypairs.

  3. Select Create master key

  4. Complete the following fields:

    Field

    Description

    Alias

    Name to uniquely identify this master key.

    Purpose

    Check the box next to Sign if you want to use this key to sign.

    User ID name

    Enter the name of the user.

    User ID comment (optional)

    The comment field is optional but useful as adding a comment may help you identify what the key is used for or tell the end-user more about that master key.

    User ID email

    Enter the user's email address.

    Algorithm

    Select RSAECDSA, or EdDSA. When you select EdDSA the key curve sets to Ed25519.

    Nota

    For compatibility reasons, we recommend that you use RSA for the master key. Some tools do not handle ECC keys properly. Master keys are not used often therefore the speed and size considerations of RSA are unimportant.

    Key size/curve

    Select 20483072, or 4096.

    Category

    Select Production or Test.

    Storage

    Select if the keypair should be generated and stored on HSM or Disk.

    Keypair status

    Select Online (can be used to sign anytime) or Offline (can only be used to sign during a scheduled release).

    Access

    Select Open (can be used by any account user) or Restricted (can only be used by specified users or a member of a specified user group.

    Team

    Select a team that should have access to this keypair. You will only see this field if you enable Teams under Account settings.

Generate GPG master key using SMCTL

  1. Access SMCTL.

  2. Run the command:

    gpg keypair generate <master key alias> --key-alg “<algorithm>” --key-size <RSA key size>|--curve “<ECDSA curve name>” --can-sign “<YES or NO>” --gpg-key-type “MASTER” --uids “name=<name>,email=<email>", “name=<name>,email=<email>" 

    Command sample:

    gpg keypair generate smctl_gpg_master --key-alg "ECDSA" --curve "P256"  --can-sign "YES" --gpg-key-type "MASTER" --uids "name=useridsmctl1,email=name@digicert.com name=useridsmctl2,email=name@digicert.com" 

Generate GPG subkey

You can generate a master and subkey from our DigiCert​​®​​ Software Trust Manager UI or our command line interface SMCTL.

Generate GPG subkey using DigiCert​​®​​ Software Trust Manager

  1. Sign in to DigiCert ONE.

  2. Navigate to: Manager menu (top right) >DigiCert​​®​​ Software Trust Manager > Keypairs > GPG keypairs.

  3. Select Create subkey

  4. Complete the following fields:

    Field

    Description

    Alias

    Name to uniquely identify this subkey.

    Select master key

    Select the master key that this subkey should be associated with.

    Algorithm

    Select RSAECDSA, or EdDSA. When you select EdDSA the key curve sets to Ed25519.

    Nota

    Subkeys are used more often, therefore ECC (ECDSA or EdDSA) is recommended as it will be faster, and the resulting signatures will be dramatically smaller than using RSA.

    Key size/curve

    Select 20483072, or 4096.

    Category

    Select Production or Test.

    Storage

    Select if the keypair should be generated and stored on HSM or Disk.

    Keypair status

    Select Online (can be used to sign anytime) or Offline (can only be used to sign during a scheduled release).

    Access

    Select Open (can be used by any account user) or Restricted (can only be used by specified users or a member of a specified user group.

    Team

    Select a team that should have access to this keypair. You will only see this field if you enable Teams under Account settings.

Generate GPG subkey using SMCTL

  1. Access SMCTL.

  2. Run the command:

    ./smctl-mac-x64 gpg keypair generate <subkey alias> --can-sign "<YES or NO>" --gpg-key-type "SUB" --key-alg “<algorithm>” --key-size < RSA key size in bits> | --curve “<ECDSA curve name>” --key-type "<TEST or PRODUCTION>" --master-gpg-keypair-id "<keypair id for gpg master key>" 

    Command sample:

    ./smctl-mac-x64 gpg keypair generate gpg_smctl_sub1 --can-sign "YES" --gpg-key-type "SUB" --key-alg "RSA" --key-size 3072 --key-type "TEST" --master-gpg-keypair-id "34d08346-7560-48d7-a5db-f6570e704857" 

    Command output:

    55200043-f586-4508-b094-c1cad4ea21b4

Download GPG keyring

You can download the GPG keyring which contains one or more master key and all subkeys associated with the selected masters key from DigiCert​​®​​ Software Trust Manager UI or our command line interface SMCTL.

To download GPG keyring using DigiCert​​®​​ Software Trust Manager:

  1. Sign in to DigiCert ONE.

  2. Navigate to: Manager menu (top right) >DigiCert​​®​​ Software Trust Manager > Keypairs > GPG keypairs.

  3. Select the overflow menu represented by three dots.

  4. Select Download keyring.

  5. Select one or more master keys.

  6. Select Bulk actions.

  7. Select Download keyring.

To download GPG keyring using SMCTL:

  1. Access SMCTL.

  2. Run the command:

    smctl gpg keyring download <gpg master key keypair id> <gpg master key keypair id> 

    Command sample:

    smctl gpg keyring download 94247aee-32ea-4e24-8cff-b4f8faefe1f9 26a2b44d-b8c0-40f6-883b-46cb6fce5445 

    This command will download a file with name pubring.gpg under following directories:

    tabla 1. Pubring location

    Operating system

    Directory

    Windows

    C:\Users\<user_name>\AppData\Roaming\gnupg\pubring.gpg

    Linux or Mac

    /User/<user_name>/.gnupg/pubring.gpg



Delete GPG key

To delete a GPG key:

  1. Sign in to DigiCert ONE.

  2. Navigate to: Manager menu (top right) >DigiCert​​®​​ Software Trust Manager > Keypairs > GPG keypairs.

  3. GPG over the GPG keypair alias until the menu icon (three dots) appears.

  4. Select Delete.

    Nota

    If teams are enabled, the approver(s) will receive an email to approve the deletion of the keypair. Once all approvals have been received, the requester will receive an email notifying them that the keypair has been deleted.

Import a GPG keyring

Nota

  • Supported formats include .gpg and .asc.

  • Supported algorithms include ECDSA NIST P-384, ECDSA NIST P-256, EdDSA25519, RSA-3072, RSA-4096, and RSA-2048.

  • Maximum file size for a secring is 100KB.

  • Secrings are imported as Open access, Production category, and Offline status. Once a secring is imported, you can change these settings.

  • Secrings may not be imported if the master keypair is revoked or expired; if the file contains multiple secrings; if the master private key is empty; the user ID for the master key does not include the person's name and email address; or if the key size, algorithm, or curve is not supported.

  • Subkeys will be imported with reduced permission if they have any permissions not supported by DigiCert​​®​​ Software Trust Manager. The import system will ignore subkeys that are not valid.

  1. Sign in to DigiCert ONE.

  2. Navigate to: Manager menu (top right) >DigiCert​​®​​ Software Trust Manager > Keypairs > GPG keypairs.

  3. Above the table of keys, select the options button (three dots). In the dropdown menu, select Import secring.

  4. Drag the keyring file to the import box, or select the box to choose the file from your local environment.

  5. Enter the password protecting the secring. Select Next.

  6. Enter an alias for each master key and subkey. Select Import.

Export a GPG keyring

We recommend keeping your GPG secrings in DigiCert​​®​​ Software Trust Manager. Exporting a secring adds a layer of risk that your key will be compromised. If you must export a GPG secring, be sure you can store it securely.

  1. Sign in to DigiCert ONE.

  2. Navigate to: Manager menu (top right) >DigiCert​​®​​ Software Trust Manager > Keypairs > GPG keypairs.

  3. Select the secring you want to export.

  4. Select the three dots next to its name. From the dropdown, select Export secring.

  5. Select Next. Enter a reason for the export (optional).

Once the approver(s) make a decision, you will receive an email telling you whether your request was approved or rejected.

  1. The approver for this keypair receives your request for export. If a team manages this keypair, you may need multiple approvals before exporting it.

  2. In the approval email, select Download. A browser window will open with a passcode on it.

  3. Select Download.

    Aviso

    WARNING: If you lose your passcode, you must begin this process (including approvals) from the start.