Skip to main content

Create a GPG master key

While a master key can be used to sign without a subkey, we recommend that you use instead the master key to certify and create subkeys.

A master key can also be referred to as a certification key.

A GPG master key contains:

An RSA, ECDSA, or EdDSA keypair
User IDs (UIDs)
Self-signature for every master key's UID
A key that can certify

A master key can be used to:

Add or revoke subkeys
Add, change, or revoke the key's user identities (UIDs)
Add or change the expiration date on itself or any subkey
Sign other people's keys for web-of-trust purposes

Note

What is a User ID (UID)?

UIDs are assigned to the master key. They're used to identify your GPG key.

UID format

Name (Comment) <email>

UID examples

John Doe (Signing) john.doe@example.com
Jane Doe jane.doe@example.com

Tip

UIDs are shown in some GnuPG operations. Select a name, email address, and comment that are both professional and commonly used for PGP-protected communication, such as a company email.

Create a GPG master key

Exemple 1. Software Trust Manager

To generate a GPG master key:

In the Software Trust menu, go to Keypairs > GPG keypairs.
Select Create master key.

Complete the following fields, and then select Create:

Field	Description
Alias	Name to uniquely identify this master key.
Purpose	Select Sign to use this key to sign.
Name	Enter the name of the user.
Comment (optional)	A comment can help you identify the key's purpose or help end users understand more about the master key.
Email	Enter the user's email address.
Set user ID as primary	Select this option to designate a specific user ID as the primary ID for this key. If you entered multiple user IDs, then select the desired user ID from the dropdown.
Algorithm	Select RSA, ECDSA, or EdDSA. When you select EdDSA the key curve sets to Ed25519. Note For compatibility reasons, we recommend that you use RSA for the master key. Some tools don't handle ECC keys properly. Master keys aren't used often. As a result, the speed and size considerations of RSA are unimportant.
Key size/curve	Select 2048, 3072, or 4096.
Category	Select Production or Test.
Storage	Select if the keypair should be generated and stored on HSM or Disk.
Keypair status	Select Online (can be used to sign anytime) or Offline (can be used to sign during a scheduled release).
Access	Select Open to allow access to any account user. Select Restricted to limit access to specified users or a member of a specified user group.
Keypair validity	Select Select an expiry date to set a specific expiry date for your keypair. The keypair will expire at the end of the day you selected, precisely at midnight (UTC). Select Never expire to keep your keypair active until you manually add an expiry date.
Allowed users	For Restricted keypairs, you can specify which users can use the keypair.
Allowed user groups	For Restricted keypairs, you can specify one or more groups that are authorized to use the keypair.
Team This field appears when teams are enabled.	Select a team that should have access to this keypair.

Exemple 2. SMCTL

To generate a GPG master key, run:

smctl gpg keypair generate <master key alias> --key-alg “<algorithm>” --key-size <RSA key size>|--curve “<ECDSA curve name>” --can-sign “<YES or NO>” --gpg-key-type “MASTER” --uids “name=<name>,email=<email>", “name=<name>,email=<email>"

Review the following sample command:

smctl gpg keypair generate smctl_gpg_master --key-alg "ECDSA" --curve "P256"  --can-sign "YES" --gpg-key-type "MASTER" --uids "name=useridsmctl1,email=name@digicert.com name=useridsmctl2,email=name@digicert.com"

To configure a GPG key with an expiry date, review the following flags:

--expire-on string  Provide the expiry date for the GPG keypair in the format: DD-MONTH-YYYY(e.g., 10-May-2024). The keypair will expire at midnight (UTC) on the date selected. Requires: --expiry-type ON_SPECIFIC_DATE

--expiry-type string  Provide one of the following expiry types for production keypairs only: - NO_EXPIRY | ON_SPECIFIC_DATE

Dans cette section:

Cet article vous a-t-il été utile ?