Skip to main content

GPG keys

GPG keys are different from other private keys because each GPG key includes a master key and associated subkeys. While there are no technical differences between a master key and subkey, the responsibilities of these keys remain separate to enhance security.

We recommend that the master key only be used for creating subkeys and the subkeys be used for signing. In the event that a subkey is compromised, this will allow you to revoke and replace the affected subkey, while the master key and uncompromised subkeys remain secure. The identity of the key is associated with the master key; therefore, if the master key is compromised, the identity of the master key and all associated subkeys are compromised and must be revoked and replaced.

注記

The terms "GnuPG" and "GPG" should only be used when referring to the tools, not to the output they produce or OpenPGP features they implement.

Enable GPG keys

注記

Use of GPG keys are generally enabled by Technical support. However, if DigiCert ONE is hosted in-house, the certificate template can be created by a system scope admin with the Manage account settings permission.

To enable GPG keys:

  1. Sign in to DigiCert ONE as a system scope admin.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Account > Account settings.

  4. Click the pencil icon next to System.

  5. Identify the GPG keys field.

  6. Select Enable.

GPG algorithm and key strength

GPG supports many algorithms, but we recommend the two below:

RSA for the master key

For compatibility reasons, we recommend that you use RSA for the master key. Some tools do not handle ECC keys properly. Master keys are not used often therefore the speed and size considerations of RSA are unimportant.

ECC (elliptic curve) for subkeys

Subkeys are used more often, therefore ECC (ECDSA or EdDSA) is recommended as it will be faster, and the resulting signatures will be dramatically smaller than using RSA.

Master key

A master key can technically be used to sign without a need for a subkey. However, we recommend that you only use the master key (sometimes called “certification key”) to certify and create subkeys.

A GPG master key contains:

  • RSA, ECDSA, or EdDSA keypair.

  • User IDs (UIDs).

  • Self-signature for every UID associated with the master key.

  • Key that can certify.

The master key can be used to:

  • Add or revoke subkeys.

  • Add, change, or revoke user identities (UIDs) associated with the key.

  • Add or change the expiration date on itself or any subkey.

  • Sign other people's keys for web-of-trust purposes.

GPGマスターキーを生成する

マスターキーとサブキーの生成は、DigiCert​​®​​ Software Trust Manager UI、またはコマンドラインインターフェイス SMCTL から行うことができます。

You can generate a master and subkey from DigiCert​​®​​ Software Trust Manager or our command line interface SMCTL.

You require the Manage master key permission to generate a GPG master key.

注記

What is a User ID (UID)?

UIDs are assigned to the master key. They are used to identify your GPG key.

UID format

Name (Comment) <email>

UID examples

  • John Doe (Signing) john.doe@example.com

  • Jane Doe jane.doe@example.com

Tip

UIDs are shown in some GnuPG operations. Select a name, email address, and comment that are both professional and commonly used for PGP-protected communication, for example your company email address or one you use for signing off on project commits.

Subkey

The subkey should be used to sign.

A GPG subkey contains:

  • RSA, ECDSA, or EdDSA keypair.

  • Master key signature certifying that the subkey is associated with the master key.

  • Key that can sign.

GPG サブキーを生成する

マスターキーとサブキーの生成は、DigiCert​​®​​ Software Trust Manager UI、またはコマンドラインインターフェイス SMCTL から行うことができます。

Download GPG keyring

You can download the GPG keyring which contains one or more master key and all subkeys associated with the selected masters key from Software Trust Manager or SMCTL.

Delete GPG key

To delete a GPG key:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Keypairs > GPG keypairs.

  4. GPG over the GPG keypair alias until the menu icon (three dots) appears.

  5. Select Delete.

    注記

    If teams are enabled, the approver(s) will receive an email to approve the deletion of the keypair. Once all approvals have been received, the requester will receive an email notifying them that the keypair has been deleted.

Import a GPG keyring

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Keypairs > GPG keypairs.

  4. Above the table of keys, select the options button (three dots). In the dropdown menu, select Import secring.

  5. Drag the keyring file to the import box, or select the box to choose the file from your local environment.

  6. Enter the password protecting the secring. Select Next.

  7. Enter an alias for each master key and subkey. Select Import.

注記

  • Supported formats include .gpg and .asc.

  • Supported algorithms include ECDSA NIST P-384, ECDSA NIST P-256, EdDSA25519, RSA-3072, RSA-4096, and RSA-2048.

  • Maximum file size for a secring is 100KB.

  • Secrings are imported as Open access, Production category, and Offline status. Once a secring is imported, you can change these settings.

  • Secrings may not be imported if the master keypair is revoked or expired; if the file contains multiple secrings; if the master private key is empty; the user ID for the master key does not include the person's name and email address; or if the key size, algorithm, or curve is not supported.

  • Subkeys will be imported with reduced permission if they have any permissions not supported by DigiCert​​®​​ Software Trust Manager. The import system will ignore subkeys that are not valid.

Export a GPG keyring

We recommend keeping your GPG secrings in Software Trust Manager. Exporting a secring adds a layer of risk that your key will be compromised. If you must export a GPG secring, be sure you can store it securely.

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Keypairs > GPG keypairs.

  4. Select the secring you want to export.

  5. Select the three dots next to its name. From the dropdown, select Export secring.

  6. Enter a reason for the export (optional).

  7. Select Next.

Once the approver(s) make a decision, you will receive an email telling you whether your request was approved or rejected.

  1. The approver for this keypair receives your request for export. If a team manages this keypair, you may need multiple approvals before exporting it.

  2. In the approval email, select Download. A browser window will open with a passcode on it.

  3. Select Download.

    警告

    WARNING: If you lose your passcode, you must begin this process (including approvals) from the start.