Preview: OpenPGP card-backed CAs
Today, we want to share our excitement about the upcoming support for OpenPGP card-backed instances of OpenPGP CA, and take a look at how an OpenPGP card-backed CA instance will be operated.
OpenPGP CA has received support from the NLnet foundation during its initial development. Now we’re receiving a second round of support through the NGI Assure Fund, to add support for hardened modes of operation.
With the upcoming version of OpenPGP CA, initializing a CA that is backed by an OpenPGP card takes just one step.
This step automatically generates a new CA key, uploads the key material to your card, and sets up the CA database
(in a file named
$ openpgp-ca -d test.oca ca init example.org card FFFE:01234567 on-host
This card-backed OpenPGP CA instance can be used in exactly the same ways as a soft-key backed CA. For example, you can import and certify a user’s key like this:
$ openpgp-ca -d test.oca user import --key-file alice.pub --email email@example.com