Create GPG master key

A master key can technically be used to sign without a need for a subkey. However, we recommend that you only use the master key (sometimes called “certification key”) to certify and create subkeys.

You can generate a master and subkey from DigiCert® Software Trust Manager or our command line interface SMCTL.

You require the Manage master key permission to generate a GPG master key.

Example 1. Software Trust Manager

To generate a GPG master key:

Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > GPG keypairs.
Select Create master key.

Complete the following fields:

Field	Description
Alias	Name to uniquely identify this master key.
Purpose	Check the box next to Sign if you want to use this key to sign.
User ID name	Enter the name of the user.
User ID comment (optional)	The comment field is optional but useful as adding a comment may help you identify what the key is used for or tell the end-user more about that master key.
User ID email	Enter the user's email address.
Set user ID as primary	Select this option to designate a specific user ID as the primary ID for this key. If you entered multiple user IDs, then select the desired user ID from the dropdown.
Algorithm	Select RSA, ECDSA, or EdDSA. When you select EdDSA the key curve sets to Ed25519. Note For compatibility reasons, we recommend that you use RSA for the master key. Some tools do not handle ECC keys properly. Master keys are not used often therefore the speed and size considerations of RSA are unimportant.
Key size/curve	Select 2048, 3072, or 4096.
Category	Select Production or Test.
Storage	Select if the keypair should be generated and stored on HSM or Disk.
Keypair status	Select Online (can be used to sign anytime) or Offline (can only be used to sign during a scheduled release).
Access	Select Open (can be used by any account user) or Restricted (can only be used by specified users or a member of a specified user group.
Keypair validity	Select Select an expiry date to set a specific expiry date for your keypair. The keypair will expire at the end of the day you selected, precisely at midnight (UTC). Select Never expire to keep your keypair active until you manually add an expiry date.
Allowed users	For Restricted keypairs, you can specify which users can use the keypair.
Allowed user groups	For Restricted keypairs, you can specify one or more groups that are authorized to use the keypair.
Team This field displays when teams are enabled.	Select a team that should have access to this keypair.

Example 2. SMCTL

To generate a GPG master key, run:

smctl gpg keypair generate <master key alias> --key-alg “<algorithm>” --key-size <RSA key size>|--curve “<ECDSA curve name>” --can-sign “<YES or NO>” --gpg-key-type “MASTER” --uids “name=<name>,email=<email>", “name=<name>,email=<email>"

Review the following sample command:

smctl gpg keypair generate smctl_gpg_master --key-alg "ECDSA" --curve "P256"  --can-sign "YES" --gpg-key-type "MASTER" --uids "name=useridsmctl1,email=name@digicert.com name=useridsmctl2,email=name@digicert.com"

To configure a GPG key with an expiry date, review the following flags:

--expire-on string  Provide the expiry date for the GPG keypair in the format: DD-MONTH-YYYY(e.g., 10-May-2024). The keypair will expire at midnight (UTC) on the date selected. Requires: --expiry-type ON_SPECIFIC_DATE

--expiry-type string  Provide one of the following expiry types for production keypairs only: - NO_EXPIRY | ON_SPECIFIC_DATE

Note

What is a User ID (UID)?

UIDs are assigned to the master key. They are used to identify your GPG key.

UID format

Name (Comment) <email>

UID examples

John Doe (Signing) john.doe@example.com
Jane Doe jane.doe@example.com

Tip

UIDs are shown in some GnuPG operations. Select a name, email address, and comment that are both professional and commonly used for PGP-protected communication, for example your company email address or one you use for signing off on project commits.