gnupg: Certificate Management
5.1.3 How to manage the certificates and keys
---------------------------------------------
'--generate-key'
'--gen-key'
This command allows the creation of a certificate signing request
or a self-signed certificate. It is commonly used along with the
'--output' option to save the created CSR or certificate into a
file. If used with the '--batch' a parameter file is used to
create the CSR or certificate and it is further possible to create
non-self-signed certificates.
'--list-keys'
'-k'
List all available certificates stored in the local key database.
Note that the displayed data might be reformatted for better human
readability and illegal characters are replaced by safe
substitutes.
'--list-secret-keys'
'-K'
List all available certificates for which a corresponding a secret
key is available.
'--list-external-keys PATTERN'
List certificates matching PATTERN using an external server. This
utilizes the 'dirmngr' service.
'--list-chain'
Same as '--list-keys' but also prints all keys making up the chain.
'--dump-cert'
'--dump-keys'
List all available certificates stored in the local key database
using a format useful mainly for debugging.
'--dump-chain'
Same as '--dump-keys' but also prints all keys making up the chain.
'--dump-secret-keys'
List all available certificates for which a corresponding a secret
key is available using a format useful mainly for debugging.
'--dump-external-keys PATTERN'
List certificates matching PATTERN using an external server. This
utilizes the 'dirmngr' service. It uses a format useful mainly for
debugging.
'--keydb-clear-some-cert-flags'
This is a debugging aid to reset certain flags in the key database
which are used to cache certain certificate stati. It is
especially useful if a bad CRL or a weird running OCSP responder
did accidentally revoke certificate. There is no security issue
with this command because 'gpgsm' always make sure that the
validity of a certificate is checked right before it is used.
'--delete-keys PATTERN'
Delete the keys matching PATTERN. Note that there is no command to
delete the secret part of the key directly. In case you need to do
this, you should run the command 'gpgsm --dump-secret-keys KEYID'
before you delete the key, copy the string of hex-digits in the
"keygrip" line and delete the file consisting of these hex-digits
and the suffix '.key' from the 'private-keys-v1.d' directory below
our GnuPG home directory (usually '~/.gnupg').
'--export [PATTERN]'
Export all certificates stored in the Keybox or those specified by
the optional PATTERN. Those pattern consist of a list of user ids
(⇒how-to-specify-a-user-id). When used along with the
'--armor' option a few informational lines are prepended before
each block. There is one limitation: As there is no commonly
agreed upon way to pack more than one certificate into an ASN.1
structure, the binary export (i.e. without using 'armor') works
only for the export of one certificate. Thus it is required to
specify a PATTERN which yields exactly one certificate. Ephemeral
certificate are only exported if all PATTERN are given as
fingerprints or keygrips.
'--export-secret-key-p12 KEY-ID'
Export the private key and the certificate identified by KEY-ID
using the PKCS#12 format. When used with the '--armor' option a
few informational lines are prepended to the output. Note, that
the PKCS#12 format is not very secure and proper transport security
should be used to convey the exported key. (⇒option
--p12-charset.)
'--export-secret-key-p8 KEY-ID'
'--export-secret-key-raw KEY-ID'
Export the private key of the certificate identified by KEY-ID with
any encryption stripped. The '...-raw' command exports in PKCS#1
format; the '...-p8' command exports in PKCS#8 format. When used
with the '--armor' option a few informational lines are prepended
to the output. These commands are useful to prepare a key for use
on a TLS server.
'--import [FILES]'
Import the certificates from the PEM or binary encoded files as
well as from signed-only messages. This command may also be used
to import a secret key from a PKCS#12 file.
'--learn-card'
Read information about the private keys from the smartcard and
import the certificates from there. This command utilizes the
'gpg-agent' and in turn the 'scdaemon'.
'--change-passphrase USER_ID'
'--passwd USER_ID'
Change the passphrase of the private key belonging to the
certificate specified as USER_ID. Note, that changing the
passphrase/PIN of a smartcard is not yet supported.