- DigiCert product docs
- Software Trust Manager
- Keypairs
- GPG keypairs
- Create a GPG subkey
Create a GPG subkey
Before you begin
A GPG subkey contains the following characteristics:
An RSA, ECDSA, or EdDSA keypair
A Master key signature certifying that the subkey is associated with the master key
A key that can sign; the subkey should be used to sign.
Create a GPG subkey
You can generate a master and subkey from Software Trust Manager or SMCTL.
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Select: Keypairs > GPG keypairs.
Select Create subkey.
Complete the following fields:
Field
Description
Alias
Name to uniquely identify this subkey.
Select master key
Select the master key that this subkey should be associated with.
Algorithm
Select RSA, ECDSA, or EdDSA. When you select EdDSA the key curve sets to Ed25519.
Note
Subkeys are used more often, therefore ECC (ECDSA or EdDSA) is recommended as it will be faster, and the resulting signatures will be dramatically smaller than using RSA.
Key size/curve
Select 2048, 3072, or 4096.
Category
Select Production or Test.
Storage
Select if the keypair should be generated and stored on HSM or Disk.
Keypair status
Select Online (can be used to sign anytime) or Offline (can only be used to sign during a scheduled release).
Access
Select Open (can be used by any account user) or Restricted (can only be used by specified users or a member of a specified user group.
Keypair validity
Select Select an expiry date to set a specific expiry date for your keypair. The keypair will expire at the end of the day you selected, precisely at midnight (UTC).
Select Never expire to keep your keypair active until you manually add an expiry date.
Allowed users
For Restricted keypairs, you can specify which users can use the keypair.
Allowed user groups
For Restricted keypairs, you can specify one or more groups that are authorized to use the keypair.
Team
This field displays when teams are enabled.
Select a team that should have access to this keypair.
To generate a GPG subkey, run:
smctl gpg keypair generate <subkey alias> --can-sign "<YES or NO>" --gpg-key-type "SUB" --key-alg “<algorithm>” --key-size < RSA key size in bits> | --curve “<ECDSA curve name>” --key-type "<TEST or PRODUCTION>" --master-gpg-keypair-id "<keypair id for gpg master key>"
Command sample:
smctl gpg keypair generate gpg_smctl_sub1 --can-sign "YES" --gpg-key-type "SUB" --key-alg "RSA" --key-size 3072 --key-type "TEST" --master-gpg-keypair-id "34d08346-7560-48d7-a5db-f6570e704857"
Command output:
55200043-f586-4508-b094-c1cad4ea21b4