Preview: OpenPGP card-backed CAs

Today, we want to share our excitement about the upcoming support for OpenPGP card-backed instances of OpenPGP CA, and take a look at how an OpenPGP card-backed CA instance will be operated.

OpenPGP CA has received support from the NLnet foundation during its initial development. Now we’re receiving a second round of support through the NGI Assure Fund, to add support for hardened modes of operation.


With the upcoming version of OpenPGP CA, initializing a CA that is backed by an OpenPGP card takes just one step. This step automatically generates a new CA key, uploads the key material to your card, and sets up the CA database (in a file named test.oca, here):

$ openpgp-ca -d test.oca ca init card FFFE:01234567 on-host

This card-backed OpenPGP CA instance can be used in exactly the same ways as a soft-key backed CA. For example, you can import and certify a user’s key like this:

$ openpgp-ca -d test.oca user import --key-file --email

Continue reading


As of today, you can meet the OpenPGP CA team - as well as other users - on the OFTC IRC network, in the channel #openpgp-ca. Come hang out with us there, and tell us about the projects you’re building on top of OpenPGP CA!

Continue reading

OpenPGP CA 0.10.1 released

Today we’re happy to announce the first release of the OpenPGP CA 0.10.x series. The code for OpenPGP CA 0.10.1 is tagged on gitlab.

Starting with this release, we’re publishing to So from now on, you can conveniently cargo install openpgp-ca.

Right now, we’re publishing two crates:

Note: for the time being, there is no release of the OpenPGP CA REST daemon on, since it depends on rocket 0.5, which is not yet released.

While we’re talking crates, there’s also the related, which is used by openpgp-ca for exporting to Keylist format.

Continue reading