Previous: Operational GPGSM Commands, Up: GPGSM Commands


4.1.3 How to manage the certificates and keys

--gen-key
This command will only print an error message and direct the user to the gpgsm-gencert.sh script.
--list-keys
-k
List all available certificates stored in the local key database. Note that the displayed data might be reformatted for better human readability and illegal characters are replaced by safe substitutes.
--list-secret-keys
-K
List all available certificates for which a corresponding a secret key is available.
--list-external-keys pattern
List certificates matching pattern using an external server. This utilizes the dirmngr service.
--list-chain
Same as --list-keys but also prints all keys making up the chain.
--dump-cert
--dump-keys
List all available certificates stored in the local key database using a format useful mainly for debugging.
--dump-chain
Same as --dump-keys but also prints all keys making up the chain.
--dump-secret-keys
List all available certificates for which a corresponding a secret key is available using a format useful mainly for debugging.
--dump-external-keys pattern
List certificates matching pattern using an external server. This utilizes the dirmngr service. It uses a format useful mainly for debugging.
--keydb-clear-some-cert-flags
This is a debugging aid to reset certain flags in the key database which are used to cache certain certificate stati. It is especially useful if a bad CRL or a weird running OCSP reponder did accidently revoke certificate. There is no security issue with this command because gpgsm always make sure that the validity of a certificate is checked right before it is used.
--delete-keys pattern
Delete the keys matching pattern.
--export [pattern]
Export all certificates stored in the Keybox or those specified by the optional pattern. When using along with the --armor option a few informational lines are prepended before each block.
--export-secret-key-p12 key-id
Export the private key and the certificate identified by key-id in a PKCS#12 format. When using along with the --armor option a few informational lines are prepended to the output. Note, that the PKCS#12 format is not very secure and this command is only provided if there is no other way to exchange the private key. (see option –p12-charset)
--import [files]
Import the certificates from the PEM or binary encoded files as well as from signed-only messages. This command may also be used to import a secret key from a PKCS#12 file.
--learn-card
Read information about the private keys from the smartcard and import the certificates from there. This command utilizes the gpg-agent and in turn the scdaemon.
--passwd user_id
Change the passphrase of the private key belonging to the certificate specified as user_id. Note, that changing the passphrase/PIN of a smartcard is not yet supported.