GPG keys are different from other private keys because each GPG key includes a master key and associated subkeys. While there are no technical differences between a master key and subkey, the responsibilities of these keys remain separate to enhance security.
We recommend that the master key only be used for creating subkeys and the subkeys be used for signing. In the event that a subkey is compromised, this will allow you to revoke and replace the affected subkey, while the master key and uncompromised subkeys remain secure. The identity of the key is associated with the master key; therefore, if the master key is compromised, the identity of the master key and all associated subkeys are compromised and must be revoked and replaced.
참고
The terms "GnuPG" and "GPG" should only be used when referring to the tools, not to the output they produce or OpenPGP features they implement.
Enable GPG keys
참고
Use of GPG keys are generally enabled by Technical support. However, if DigiCert ONE is hosted in-house, the certificate template can be created by a system scope admin with the Manage account settings permission.
To enable GPG keys:
Sign in to DigiCert ONE as a system scope admin.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Account settings.
Click the pencil icon next to System.
Identify the GPG keys field.
Select Enable.
GPG algorithm and key strength
GPG supports many algorithms, but we recommend the two below:
RSA for the master key
For compatibility reasons, we recommend that you use RSA for the master key. Some tools do not handle ECC keys properly. Master keys are not used often therefore the speed and size considerations of RSA are unimportant.
ECC (elliptic curve) for subkeys
Subkeys are used more often, therefore ECC (ECDSA or EdDSA) is recommended as it will be faster, and the resulting signatures will be dramatically smaller than using RSA.
Master key
A master key can technically be used to sign without a need for a subkey. However, we recommend that you only use the master key (sometimes called “certification key”) to certify and create subkeys.
A GPG master key contains:
RSA, ECDSA, or EdDSA keypair.
User IDs (UIDs).
Self-signature for every UID associated with the master key.
Key that can certify.
The master key can be used to:
Add or revoke subkeys.
Add, change, or revoke user identities (UIDs) associated with the key.
Add or change the expiration date on itself or any subkey.
Sign other people's keys for web-of-trust purposes.
Generate GPG master key
A master key can technically be used to sign without a need for a subkey. However, we recommend that you only use the master key (sometimes called “certification key”) to certify and create subkeys.
You can generate a master and subkey from DigiCert® Software Trust Manager or our command line interface SMCTL.
You require the Manage master key permission to generate a GPG master key.
예 1. Software Trust Manager
To generate a GPG master key:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > GPG keypairs.
Select Create master key.
Complete the following fields:
Field
Description
Alias
Name to uniquely identify this master key.
Purpose
Check the box next to Sign if you want to use this key to sign.
User ID name
Enter the name of the user.
User ID comment (optional)
The comment field is optional but useful as adding a comment may help you identify what the key is used for or tell the end-user more about that master key.
User ID email
Enter the user's email address.
Algorithm
SelectRSA,ECDSA, orEdDSA.When you select EdDSA the key curve sets to Ed25519.
참고
For compatibility reasons, we recommend that you use RSA for the master key. Some tools do not handle ECC keys properly. Master keys are not used often therefore the speed and size considerations of RSA are unimportant.
Key size/curve
Select2048,3072, or4096.
Category
SelectProductionorTest.
Storage
Select if the keypair should be generated and stored onHSMorDisk.
Keypair status
SelectOnline(can be used to sign anytime) orOffline(can only be used to sign during a scheduled release).
Access
SelectOpen(can be used by any account user) orRestricted(can only be used by specified usersor a member of a specified user group.
Team
Select a team that should have access to this keypair. You will only see this field if you enableTeamsunderAccount settings.
예 2. SMCTL
To generate a GPG master key, run:
smctl gpg keypair generate <master key alias> --key-alg “<algorithm>” --key-size <RSA key size>|--curve “<ECDSA curve name>” --can-sign “<YES or NO>” --gpg-key-type “MASTER” --uids “name=<name>,email=<email>", “name=<name>,email=<email>"
Command sample:
smctl gpg keypair generate smctl_gpg_master --key-alg "ECDSA" --curve "P256" --can-sign "YES" --gpg-key-type "MASTER" --uids "name=useridsmctl1,email=name@digicert.com name=useridsmctl2,email=name@digicert.com"
참고
What is a User ID (UID)?
UIDs are assigned to the master key. They are used to identify your GPG key.
UID format
Name (Comment) <email>
UID examples
John Doe (Signing) john.doe@example.com
Jane Doe jane.doe@example.com
Tip
UIDs are shown in some GnuPG operations. Select a name, email address, and comment that are both professional and commonly used for PGP-protected communication, for example your company email address or one you use for signing off on project commits.
Subkey
The subkey should be used to sign.
A GPG subkey contains:
RSA, ECDSA, or EdDSA keypair.
Master key signature certifying that the subkey is associated with the master key.
Key that can sign.
Generate GPG subkey
You can generate a master and subkey from Software Trust Manager or SMCTL.
예 3. Software Trust Manager
To generate a GPG subkey:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > GPG keypairs.
Select Create subkey.
Complete the following fields:
Field
Description
Alias
Name to uniquely identify this subkey.
Select master key
Select the master key that this subkey should be associated with.
Algorithm
SelectRSA,ECDSA, orEdDSA.When you select EdDSA the key curve sets to Ed25519.
참고
Subkeys are used more often, therefore ECC (ECDSA or EdDSA) is recommended as it will be faster, and the resulting signatures will be dramatically smaller than using RSA.
Key size/curve
Select2048,3072, or4096.
Category
SelectProductionorTest.
Storage
Select if the keypair should be generated and stored onHSMorDisk.
Keypair status
SelectOnline(can be used to sign anytime) orOffline(can only be used to sign during a scheduled release).
Access
SelectOpen(can be used by any account user) orRestricted(can only be used by specified usersor a member of a specified user group.
Team
Select a team that should have access to this keypair. You will only see this field if you enableTeamsunderAccount settings.
예 4. SMCTL
To generate a GPG subkey, run:
smctl gpg keypair generate <subkey alias> --can-sign "<YES or NO>" --gpg-key-type "SUB" --key-alg “<algorithm>” --key-size < RSA key size in bits> | --curve “<ECDSA curve name>” --key-type "<TEST or PRODUCTION>" --master-gpg-keypair-id "<keypair id for gpg master key>"
Command sample:
smctl gpg keypair generate gpg_smctl_sub1 --can-sign "YES" --gpg-key-type "SUB" --key-alg "RSA" --key-size 3072 --key-type "TEST" --master-gpg-keypair-id "34d08346-7560-48d7-a5db-f6570e704857"
Command output:
55200043-f586-4508-b094-c1cad4ea21b4
Download GPG keyring
You can download the GPG keyring which contains one or more master key and all subkeys associated with the selected masters key from Software Trust Manager or SMCTL.
예 5. Software Trust Manager
To download a GPG keyring:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > GPG keypairs.
Select the overflow menu represented by three dots.
Select Download keyring.
Select one or more master keys.
Select Bulk actions.
Select Download keyring.
예 6. SMCTL
To download a GPG keyring, run:
smctl gpg keyring download <gpg master key keypair id> <gpg master key keypair id>
Command sample:
smctl gpg keyring download 94247aee-32ea-4e24-8cff-b4f8faefe1f9 26a2b44d-b8c0-40f6-883b-46cb6fce5445
This command will download a file with name pubring.gpg under following directories:
표 1. Pubring location
Operating system | Directory |
|---|---|
Windows | C:\Users\<user_name>\AppData\Roaming\gnupg\pubring.gpg |
Linux or Mac | /User/<user_name>/.gnupg/pubring.gpg |
Delete GPG key
To delete a GPG key:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > GPG keypairs.
GPG over the GPG keypair alias until the menu icon (three dots) appears.
Select Delete.
참고
If teams are enabled, the approver(s) will receive an email to approve the deletion of the keypair. Once all approvals have been received, the requester will receive an email notifying them that the keypair has been deleted.
Import a GPG secring
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > GPG keypairs.
Above the table of keys, select the options button (three dots). In the dropdown menu, select Import secring.
Drag the keyring file to the import box, or select the box to choose the file from your local environment.
Enter the password protecting the secring. Select Next.
Enter an alias for each master key and subkey. Select Import.
참고
Supported formats include .gpg and .asc.
Supported algorithms include ECDSA NIST P-384, ECDSA NIST P-256, EdDSA25519, RSA-3072, RSA-4096, and RSA-2048.
Maximum file size for a secring is 100KB.
Secrings are imported as Open access, Production category, and Offline status. Once a secring is imported, you can change these settings.
Secrings may not be imported if the master keypair is revoked or expired; if the file contains multiple secrings; if the master private key is empty; the user ID for the master key does not include the person's name and email address; or if the key size, algorithm, or curve is not supported.
Subkeys will be imported with reduced permission if they have any permissions not supported by DigiCert® Software Trust Manager. The import system will ignore subkeys that are not valid.
Export a GPG keyring
We recommend keeping your GPG secrings in Software Trust Manager. Exporting a secring adds a layer of risk that your key will be compromised. If you must export a GPG secring, be sure you can store it securely.
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > GPG keypairs.
Select the secring you want to export.
Select the three dots next to its name. From the dropdown, select Export secring.
Enter a reason for the export (optional).
Select Next.
Once the approver(s) make a decision, you will receive an email telling you whether your request was approved or rejected.
The approver for this keypair receives your request for export. If a team manages this keypair, you may need multiple approvals before exporting it.
In the approval email, select Download. A browser window will open with a passcode on it.
Select Download.
주의
WARNING: If you lose your passcode, you must begin this process (including approvals) from the start.
이 섹션의 내용:
