security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00
Code Activity

Move parameter file description to the manual.

Browse Source
This commit is contained in:
Werner Koch 2011-03-01 17:08:49 +01:00
parent 28c157b55c
commit 00f8b68505
5 changed files with 473 additions and 365 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/ChangeLog
View File

@ -1,3 +1,8 @@
2011-03-01 Werner Koch <wk@g10code.com>
* gpgsm.texi (CSR and certificate creation): New.
* gpg.texi (Unattended GPG key generation): New.
2010-10-29 David Shaw <dshaw@jabberwocky.com>
* gpg.texi (GPG Configuration Options): Clarify that show-photos

189
doc/DETAILS
View File

@ -790,194 +790,7 @@ Key generation
Unattended key generation
=========================
This feature allows unattended generation of keys controlled by a
parameter file. To use this feature, you use --gen-key together with
--batch and feed the parameters either from stdin or from a file given
on the commandline. The description below is only for GPG; GPGSM has
a similar feature, see the file sm/certreqgen.c for a description.
The format of this file is as follows:
o Text only, line length is limited to about 1000 chars.
o You must use UTF-8 encoding to specify non-ascii characters.
o Empty lines are ignored.
o Leading and trailing spaces are ignored.
o A hash sign as the first non white space character indicates a comment line.
o Control statements are indicated by a leading percent sign, the
arguments are separated by white space from the keyword.
o Parameters are specified by a keyword, followed by a colon. Arguments
are separated by white space.
o The first parameter must be "Key-Type", control statements
may be placed anywhere.
o Key generation takes place when either the end of the parameter file
is reached, the next "Key-Type" parameter is encountered or at the
control statement "%commit"
o Control statements:
%echo <text>
Print <text>.
%dry-run
Suppress actual key generation (useful for syntax checking).
%commit
Perform the key generation. An implicit commit is done
at the next "Key-Type" parameter.
%pubring <filename>
%secring <filename>
Do not write the key to the default or commandline given
keyring but to <filename>. This must be given before the first
commit to take place, duplicate specification of the same filename
is ignored, the last filename before a commit is used.
The filename is used until a new filename is used (at commit points)
and all keys are written to that file. If a new filename is given,
this file is created (and overwrites an existing one).
GnuPG < 2.1: Both control statements must be given.
GnuPG >= 2.1: "%secring" is now a no-op.
%ask-passphrase
Enable a mode where the command "passphrase" is ignored and
instead the usual passphrase dialog is used. This does not
make sense for batch key generation; however the unattended
key generation feature is also used by GUIs and this feature
relinquishes the GUI from implementing its own passphrase
entry code. This is a global option.
%no-ask-passphrase
Disable the ask-passphrase mode.
%no-protection
With GnuPG 2.1 it is not anymore possible to specify a
passphrase for unattended key generation. The passphrase
command is simply ignored and %ask-passpharse is thus
implicitly enabled. Using this option allows to the creation
of keys without any passphrases. This option is mainly
intended for regression tests.
%transient-key
If given the keys are created using a faster and a somewhat
less secure random number generator. This option may be used
for keys which are only used for a short time and do not
require full cryptographic strength. It takes only effect if
used together with the option no-protection.
o The order of the parameters does not matter except for "Key-Type"
which must be the first parameter. The parameters are only for the
generated keyblock and parameters from previous key generations are not
used. Some syntactically checks may be performed.
The currently defined parameters are:
Key-Type: <algo-number>|<algo-string>
Starts a new parameter block by giving the type of the primary
key. The algorithm must be capable of signing. This is a
required parameter. It may be "default" to use the default
one; in this case don't give a Key-Usage and use "default" for
the Subkey-Type.
Key-Length: <length-in-bits>
Length of the key in bits. The default is returned by running
the command "gpg --gpgconf-list".
Key-Usage: <usage-list>
Space or comma delimited list of key usage, allowed values are
"encrypt", "sign", and "auth". This is used to generate the
key flags. Please make sure that the algorithm is capable of
this usage. Note that OpenPGP requires that all primary keys
are capable of certification, so no matter what usage is given
here, the "cert" flag will be on. If no Key-Usage is
specified and the key-type is not "default", all allowed
usages for that particular algorithm are used; if it is not
given but "default" is used the usage will be "sign".
Subkey-Type: <algo-number>|<algo-string>
This generates a secondary key. Currently only one subkey
can be handled. "default" is also supported.
Subkey-Length: <length-in-bits>
Length of the subkey in bits. The default is returned by running
the command "gpg --gpgconf-list".
Subkey-Usage: <usage-list>
Similar to Key-Usage.
Passphrase: <string>
If you want to specify a passphrase for the secret key,
enter it here. Default is not to use any passphrase.
Name-Real: <string>
Name-Comment: <string>
Name-Email: <string>
The 3 parts of a key. Remember to use UTF-8 here.
If you don't give any of them, no user ID is created.
Expire-Date: <iso-date>|(<number>[d|w|m|y])
Set the expiration date for the key (and the subkey). It may
either be entered in ISO date format (2000-08-15) or as number
of days, weeks, month or years. The special notation
"seconds=N" is also allowed to directly give an Epoch
value. Without a letter days are assumed. Note that there is
no check done on the overflow of the type used by OpenPGP for
timestamps. Thus you better make sure that the given value
make sense. Although OpenPGP works with time intervals, GnuPG
uses an absolute value internally and thus the last year we
can represent is 2105.
Creation-Date: <iso-date>
Set the creation date of the key as stored in the key
information and which is also part of the fingerprint
calculation. Either a date like "1986-04-26" or a full
timestamp like "19860426T042640" may be used. The time is
considered to be UTC. If it is not given the current time
is used.
Preferences: <string>
Set the cipher, hash, and compression preference values for
this key. This expects the same type of string as "setpref"
in the --edit menu.
Revoker: <algo>:<fpr> [sensitive]
Add a designated revoker to the generated key. Algo is the
public key algorithm of the designated revoker (i.e. RSA=1,
DSA=17, etc.) Fpr is the fingerprint of the designated
revoker. The optional "sensitive" flag marks the designated
revoker as sensitive information. Only v4 keys may be
designated revokers.
Handle: <string>
This is an optional parameter only used with the status lines
KEY_CREATED and KEY_NOT_CREATED. STRING may be up to 100
characters and should not contain spaces. It is useful for
batch key generation to associate a key parameter block with a
status line.
Keyserver: <string>
This is an optional parameter that specifies the preferred
keyserver URL for the key.
Here is an example on how to create a key:
$ cat >foo <<EOF
%echo Generating a basic OpenPGP key
Key-Type: DSA
Key-Length: 1024
Subkey-Type: ELG-E
Subkey-Length: 1024
Name-Real: Joe Tester
Name-Comment: with stupid passphrase
Name-Email: joe@foo.bar
Expire-Date: 0
Passphrase: abc
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
EOF
$ gpg --batch --gen-key foo
[...]
$ gpg --no-default-keyring --secret-keyring ./foo.sec \
--keyring ./foo.pub --list-secret-keys
/home/wk/work/gnupg-stable/scratch/foo.sec
------------------------------------------
sec 1024D/915A878D 2000-03-09 Joe Tester (with stupid passphrase) <joe@foo.bar>
ssb 1024g/8F70E2C0 2000-03-09
If you want to create a key with the default algorithms you would
use these parameters:
%echo Generating a default key
Key-Type: default
Subkey-Type: default
Name-Real: Joe Tester
Name-Comment: with stupid passphrase
Name-Email: joe@foo.bar
Expire-Date: 0
Passphrase: abc
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
The the manual for a description.
Layout of the TrustDB

257
doc/gpg.texi
View File

@ -104,10 +104,10 @@ page and at @inforef{Top,GnuPG 1,gpg}.
* GPG Examples:: Some usage examples.
Developer information:
@c * Unattended Usage:: Using @command{gpg} from other programs.
@c * GPG Protocol:: The protocol the server mode uses.
* Unattended Usage of GPG:: Using @command{gpg} from other programs.
@end menu
@c * GPG Protocol:: The protocol the server mode uses.
@c *******************************************
@ -2964,6 +2964,259 @@ Before you report a bug you should first search the mailing list
archives for similar problems and second check whether such a bug has
already been reported to our bug tracker at http://bugs.gnupg.org .
@c *******************************************
@c *************** **************
@c *************** UNATTENDED **************
@c *************** **************
@c *******************************************
@manpause
@node Unattended Usage of GPG
@section Unattended Usage
@command{gpg} is often used as a backend engine by other software. To help
with this a machine interface has been defined to have an unambiguous
way to do this. The options @option{--status-fd} and @option{--batch}
are almost always required for this.
@menu
* Unattended GPG key generation:: Unattended key generation
@end menu
@node Unattended GPG key generation,,,Unattended Usage of GPG
@section Unattended key generation
The command @option{--gen-key} may be used along with the option
@option{--batch} for unattended key generation. The parameters are
either read from stdin or given as a file on the command line.
The format of the parameter file is as follows:
@itemize @bullet
@item Text only, line length is limited to about 1000 characters.
@item UTF-8 encoding must be used to specify non-ASCII characters.
@item Empty lines are ignored.
@item Leading and trailing while space is ignored.
@item A hash sign as the first non white space character indicates
a comment line.
@item Control statements are indicated by a leading percent sign, the
arguments are separated by white space from the keyword.
@item Parameters are specified by a keyword, followed by a colon. Arguments
are separated by white space.
@item
The first parameter must be @samp{Key-Type}; control statements may be
placed anywhere.
@item
The order of the parameters does not matter except for @samp{Key-Type}
which must be the first parameter. The parameters are only used for
the generated keyblock (primary and subkeys); parameters from previous
sets are not used. Some syntactically checks may be performed.
@item
Key generation takes place when either the end of the parameter file
is reached, the next @samp{Key-Type} parameter is encountered or at the
control statement @samp{%commit} is encountered.
@end itemize
@noindent
Control statements:
@table @asis
@item %echo @var{text}
Print @var{text} as diagnostic.
@item %dry-run
Suppress actual key generation (useful for syntax checking).
@item %commit
Perform the key generation. Note that an implicit commit is done at
the next @asis{Key-Type} parameter.
@item %pubring @var{filename}
@itemx %secring @var{filename}
Do not write the key to the default or commandline given keyring but
to @var{filename}. This must be given before the first commit to take
place, duplicate specification of the same filename is ignored, the
last filename before a commit is used. The filename is used until a
new filename is used (at commit points) and all keys are written to
that file. If a new filename is given, this file is created (and
overwrites an existing one). For gnuPG versions prior to 2.1, both
control statements must be given. For GnuPG 2.1 and later
@samp{%secring} is a no-op.
@item %ask-passphrase
@itemx %no-ask-passphrase
Enable (or disable) a mode where the command @option{passphrase} is
ignored and instead the usual passphrase dialog is used. This does
not make sense for batch key generation; however the unattended key
generation feature is also used by GUIs and this feature relinquishes
the GUI from implementing its own passphrase entry code. These are
global control statements and affect all future key genrations.
@item %no-protection
Since GnuPG version 2.1 it is not anymore possible to specify a
passphrase for unattended key generation. The passphrase command is
simply ignored and @samp{%ask-passpharse} is thus implicitly enabled.
Using this option allows the creation of keys without any passphrase
protection. This option is mainly intended for regression tests.
@item %transient-key
If given the keys are created using a faster and a somewhat less
secure random number generator. This option may be used for keys
which are only used for a short time and do not require full
cryptographic strength. It takes only effect if used together with
the control statement @samp{%no-protection}.
@end table
@noindent
General Parameters:
@table @asis
@item Key-Type: @var{algo}
Starts a new parameter block by giving the type of the primary
key. The algorithm must be capable of signing. This is a required
parameter. @var{algo} may either be an OpenPGP algorithm number or a
string with the algorithm name. The special value @samp{default} may
be used for @var{algo} to create the default key type; in this case a
@samp{Key-Usage} shall not be given and @samp{default} also be used
for @samp{Subkey-Type}.
@item Key-Length: @var{nbits}
The requested length of the generated key in bits. The default is
returned by running the command @samp{gpg2 --gpgconf-list}.
@item Key-Grip: @var{hexstring}
This is optional and used to generate a CSR or certificatet for an
already existing key. Key-Length will be ignored when given.
@item Key-Usage: @var{usage-list}
Space or comma delimited list of key usages. Allowed values are
@samp{encrypt}, @samp{sign}, and @samp{auth}. This is used to
generate the key flags. Please make sure that the algorithm is
capable of this usage. Note that OpenPGP requires that all primary
keys are capable of certification, so no matter what usage is given
here, the @samp{cert} flag will be on. If no @samp{Key-Usage} is
specified and the @samp{Key-Type} is not @samp{default}, all allowed
usages for that particular algorithm are used; if it is not given but
@samp{default} is used the usage will be @samp{sign}.
@item Subkey-Type: @var{algo}
This generates a secondary key (subkey). Currently only one subkey
can be handled. See also @samp{Key-Type} above.
@item Subkey-Length: @var{nbits}
Length of the secondary key (subkey) in bits. The default is returned
by running the command @samp{gpg2 --gpgconf-list}".
@item Subkey-Usage: @var{usage-list}
Key usage lists for a subkey; similar to @samp{Key-Usage}.
@item Passphrase: @var{string}
If you want to specify a passphrase for the secret key,
enter it here. Default is not to use any passphrase.
@item Name-Real: @var{name}
@itemx Name-Comment: @var{comment}
@itemx Name-Email: @var{email}
The three parts of a user name. Remember to use UTF-8 encoding here.
If you don't give any of them, no user ID is created.
@item Expire-Date: @var{iso-date}|(@var{number}[d|w|m|y])
Set the expiration date for the key (and the subkey). It may either
be entered in ISO date format (2000-08-15) or as number of days,
weeks, month or years. The special notation "seconds=N" is also
allowed to directly give an Epoch value. Without a letter days are
assumed. Note that there is no check done on the overflow of the type
used by OpenPGP for timestamps. Thus you better make sure that the
given value make sense. Although OpenPGP works with time intervals,
GnuPG uses an absolute value internally and thus the last year we can
represent is 2105.
@item Ceation-Date: @var{iso-date}
Set the creation date of the key as stored in the key information and
which is also part of the fingerprint calculation. Either a date like
"1986-04-26" or a full timestamp like "19860426T042640" may be used.
The time is considered to be UTC. If it is not given the current time
is used.
@item Preferences: @var{string}
Set the cipher, hash, and compression preference values for this key.
This expects the same type of string as the sub-command @samp{setpref}
in the @option{--edit-key} menu.
@item Revoker: @var{algo}:@var{fpr} [sensitive]
Add a designated revoker to the generated key. Algo is the public key
algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.)
@var{fpr} is the fingerprint of the designated revoker. The optional
@samp{sensitive} flag marks the designated revoker as sensitive
information. Only v4 keys may be designated revokers.
@item Keyserver: @var{string}
This is an optional parameter that specifies the preferred keyserver
URL for the key.
@item Handle: @var{string}
This is an optional parameter only used with the status lines
KEY_CREATED and KEY_NOT_CREATED. @var{string} may be up to 100
characters and should not contain spaces. It is useful for batch key
generation to associate a key parameter block with a status line.
@end table
@noindent
Here is an example on how to create a key:
@smallexample
$ cat >foo <<EOF
%echo Generating a basic OpenPGP key
Key-Type: DSA
Key-Length: 1024
Subkey-Type: ELG-E
Subkey-Length: 1024
Name-Real: Joe Tester
Name-Comment: with stupid passphrase
Name-Email: joe@@foo.bar
Expire-Date: 0
Passphrase: abc
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
EOF
$ gpg2 --batch --gen-key foo
[...]
$ gpg2 --no-default-keyring --secret-keyring ./foo.sec \
--keyring ./foo.pub --list-secret-keys
/home/wk/work/gnupg-stable/scratch/foo.sec
------------------------------------------
sec 1024D/915A878D 2000-03-09 Joe Tester (with stupid passphrase) <joe@@foo.bar>
ssb 1024g/8F70E2C0 2000-03-09
@end smallexample
@noindent
If you want to create a key with the default algorithms you would use
these parameters:
@smallexample
%echo Generating a default key
Key-Type: default
Subkey-Type: default
Name-Real: Joe Tester
Name-Comment: with stupid passphrase
Name-Email: joe@@foo.bar
Expire-Date: 0
Passphrase: abc
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
@end smallexample
@mansect see also
@ifset isman
@command{gpgv}(1),

160
doc/gpgsm.texi
View File

@ -165,10 +165,12 @@ use @samp{--help} to get a list of supported operations.
@table @gnupgtabopt
@item --gen-key
@opindex gen-key
This command allows the creation of a certificate signing request. It
is commonly used along with the @option{--output} option to save the
created CSR into a file. If used with the @option{--batch} a parameter
file is used to create the CSR.
This command allows the creation of a certificate signing request or a
self-signed certificate. It is commonly used along with the
@option{--output} option to save the created CSR or certificate into a
file. If used with the @option{--batch} a parameter file is used to
create the CSR or certificate and it is further possible to create
non-self-signed certificates.
@item --list-keys
@itemx -k
@ -886,14 +888,12 @@ $ gpgsm -er goo@@bar.net <plaintext >ciphertext
@end example
@c man end
@c *******************************************
@c *************** **************
@c *************** UNATTENDED **************
@c *************** **************
@c *******************************************
@manpause
@node Unattended Usage
@section Unattended Usage
@ -905,6 +905,7 @@ but may also be used in the standard operation mode by using the
@menu
* Automated signature checking:: Automated signature checking.
* CSR and certificate creation:: CSR and certificate creation.
@end menu
@node Automated signature checking,,,Unattended Usage
@ -951,13 +952,156 @@ this is a missing certificate.
@end table
@node CSR and certificate creation,,,Unattended Usage
@section CSR and certificate creation
The command @option{--gen-key} may be used along with the option
@option{--batch} to either create a certificate signing request (CSR) or an
X.509 certificate. The is controlled by a parameter file; the format
of this file is as follows:
@itemize @bullet
@item Text only, line length is limited to about 1000 characters.
@item UTF-8 encoding must be used to specify non-ASCII characters.
@item Empty lines are ignored.
@item Leading and trailing while space is ignored.
@item A hash sign as the first non white space character indicates
a comment line.
@item Control statements are indicated by a leading percent sign, the
arguments are separated by white space from the keyword.
@item Parameters are specified by a keyword, followed by a colon. Arguments
are separated by white space.
@item The first parameter must be @samp{Key-Type}, control statements
may be placed anywhere.
@item
The order of the parameters does not matter except for @samp{Key-Type}
which must be the first parameter. The parameters are only used for
the generated CSR/certificate; parameters from previous sets are not
used. Some syntactically checks may be performed.
@item
Key generation takes place when either the end of the parameter file
is reached, the next @samp{Key-Type} parameter is encountered or at the
control statement @samp{%commit} is encountered.
@end itemize
@noindent
Control statements:
@table @asis
@item %echo @var{text}
Print @var{text} as diagnostic.
@item %dry-run
Suppress actual key generation (useful for syntax checking).
@item %commit
Perform the key generation. Note that an implicit commit is done at
the next @asis{Key-Type} parameter.
@c %certfile <filename>
@c [Not yet implemented!]
@c Do not write the certificate to the keyDB but to <filename>.
@c This must be given before the first
@c commit to take place, duplicate specification of the same filename
@c is ignored, the last filename before a commit is used.
@c The filename is used until a new filename is used (at commit points)
@c and all keys are written to that file. If a new filename is given,
@c this file is created (and overwrites an existing one).
@c Both control statements must be given.
@end table
@noindent
General Parameters:
@table @asis
@item Key-Type: @var{algo}
Starts a new parameter block by giving the type of the primary
key. The algorithm must be capable of signing. This is a required
parameter. The only supported value for @var{algo} is @samp{rsa}.
@item Key-Length: @var{nbits}
The requested length of a generated key in bits. Defaults to 2048.
@item Key-Grip: @var{hexstring}
This is optional and used to generate a CSR or certificatet for an
already existing key. Key-Length will be ignored when given.
@item Key-Usage: @var{usage-list}
Space or comma delimited list of key usage, allowed values are
@samp{encrypt} and @samp{sign}. This is used to generate the keyUsage
extension. Please make sure that the algorithm is capable of this
usage. Default is to allow encrypt and sign.
@item Name-DN: @var{subject-name}
This is the Distinguished Name (DN) of the subject in RFC-2253 format.
@item Name-Email: @var{string}
This is an email address for the altSubjectName. This parameter is
optional but may occur several times to add several email addresses to
a certificate.
@item Name-DNS: @var{string}
The is an DNS name for the altSubjectName. This parameter is optional
but may occur several times to add several DNS names to a certificate.
@item Name-URI: @var{string}
This is an URI for the altSubjectName. This parameter is optional but
may occur several times to add several URIs to a certificate.
@end table
@noindent
Additional parameters used to create a certificate (in contrast to a
certificate signing request):
@table @asis
@item Serial: @var{sn}
If this parameter is given an X.509 certificate will be generated.
@var{sn} is expected to be a hex string representing an unsigned
integer of arbitary length. The special value @samp{random} can be
used to create a 64 bit random serial number.
@item Issuer-DN: @var{issuer-name}
This is the DN name of the issuer in rfc2253 format. If it is not set
it will default to the subject DN and a special GnuPG extension will
be included in the certificate to mark it as a standalone certificate.
@item Creation-Date: @var{iso-date}
@itemx Not-Before: @var{iso-date}
Set the notBefore date of the certificate. Either a date like
@samp{1986-04-26} or @samp{1986-04-26 12:00} or a standard ISO
timestamp like @samp{19860426T042640} may be used. The time is
considered to be UTC. If it is not given the current date is used.
@item Expire-Date: @var{iso-date}
@itemx Not-After: @var{iso-date}
Set the notAfter date of the certificate. Either a date like
@samp{2063-04-05} or @samp{2063-04-05 17:00} or a standard ISO
timestamp like @samp{20630405T170000} may be used. The time is
considered to be UTC. If it is not given a default value in the not
too far future is used.
@item Signing-Key: @var{keygrip}
This gives the keygrip of the key used to sign the certificate. If it
is not given a self-signed certificate will be created. For
compatibility with future versions, it is suggested to prefix the
keygrip with a @samp{&}.
@item Hash-Algo: @var{hash-algo}
Use @var{hash-algo} for this CSR or certificate. The supported hash
algorithms are: @samp{sha1}, @samp{sha256}, @samp{sha384} and
@samp{sha512}; they may also be specified with uppercase letters. The
default is @samp{sha1}.
@end table
@c *******************************************
@c *************** *****************
@c *************** ASSSUAN *****************
@c *************** *****************
@c *******************************************
@manpause
@node GPGSM Protocol
@section The Protocol the Server Mode Uses.

115
sm/certreqgen.c
View File

@ -19,124 +19,17 @@
*/
/*
The format of the native parameter file is follows:
o Text only, line length is limited to about 1000 chars.
o You must use UTF-8 encoding to specify non-ascii characters.
o Empty lines are ignored.
o Leading and trailing spaces are ignored.
o A hash sign as the first non white space character is a comment line.
o Control statements are indicated by a leading percent sign, the
arguments are separated by white space from the keyword.
o Parameters are specified by a keyword, followed by a colon. Arguments
are separated by white space.
o The first parameter must be "Key-Type", control statements
may be placed anywhere.
o Key generation takes place when either the end of the parameter file
is reached, the next "Key-Type" parameter is encountered or at the
controlstatement "%commit"
o Control statements:
%echo <text>
Print <text>.
%dry-run
Suppress actual key generation (useful for syntax checking).
%commit
Perform the key generation. Note that an implicit commit is done
at the next "Key-Type" parameter.
%certfile <filename>
[Not yet implemented!]
Do not write the certificate to the keyDB but to <filename>.
This must be given before the first
commit to take place, duplicate specification of the same filename
is ignored, the last filename before a commit is used.
The filename is used until a new filename is used (at commit points)
and all keys are written to that file. If a new filename is given,
this file is created (and overwrites an existing one).
Both control statements must be given.
o The order of the parameters does not matter except for "Key-Type"
which must be the first parameter. The parameters are only for the
generated keyblock and parameters from previous key generations are not
used. Some syntactically checks may be performed.
The currently defined parameters are:
Key-Type: <algo>
Starts a new parameter block by giving the type of the
primary key. The algorithm must be capable of signing.
This is a required parameter. For now the only supported
algorithm is "rsa".
Key-Length: <length-in-bits>
Length of the key in bits. Default is 2048.
Key-Grip: <hexstring>
This is optional and used to generate a request for an already
existing key. Key-Length will be ignored when given,
Key-Usage: <usage-list>
Space or comma delimited list of key usage, allowed values are
"encrypt" and "sign". This is used to generate the KeyUsage extension.
Please make sure that the algorithm is capable of this usage. Default
is to allow encrypt and sign.
Name-DN: <subject_name>
This is the DN name of the subject in rfc2253 format.
Name-Email: <string>
The is an email address for the altSubjectName
Name-DNS: <string>
The is an DNS name for the altSubjectName
Name-URI: <string>
The is an URI for the altSubjectName
The following parameters are only used if a certificate (and not
a certificate signing request) is requested:
Serial: <sn>
If this parameter is given an X.509 certificate will be
generated. SN is expected to be a hex string representing an
unsigned integer of arbitary length. The special value
"random" can be used to crete a 64 bit random serial number.
Issuer-DN: <issuer_name>
This is the DN name of the issuer in rfc2253 format. If it is
not set the subject DN will be used instead. This creates a
self-signed certificate. Only in this case a special GnuPG
extension will then be included in the certificate to mark it
as a standalone certificate.
Creation-Date: <iso-date>
Set the notBefore date of the certificate. Either a date like
"1986-04-26" or a full timestamp like "19860426T042640" may be
used. The time is considered to be UTC. If it is not given
the current date is used.
Expire-Date: <iso-date>
Set the notBefore date of the certificate. Either a date like
"1986-04-26" or a full timestamp like "19860426T042640" may be
used. The time is considered to be UTC. If it is not given a
default value is used.
Signing-Key: <keygrip>
This gives the keygrip of the key used to sign the
certificate. If it is not given a self-signed certificate
will be created.
Hash-Algo: <hash-algo>
Use HASH-ALGO for this certificate. The supported hash
algorithms are: "sha-1", "sha-256", "sha-384" and "sha-512".
"sha-1" is the default.
The format of the parameter file is described in the manual under
"Unattended Usage".
Here is an example:
$ cat >foo <<EOF
%echo Generating a standard key
Key-Type: RSA
Key-Length: 2048
Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Düsseldorf,C=DE
Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE
Name-Email: joe@foo.bar
# Do a commit here, so that we can later print "done" :-)
# Do a commit here, so that we can later print a "done"
%commit
%echo done
EOF