Creating New Key Pairs

The menu item FileNew Certificate... (Ctrl+N) starts the Certificate Creation Wizard which will guide you through a number of steps to create a certificate request.

Whenever you are done with a step in the wizard, press Next to go to the next step (or Back to review steps that are already completed). The certificate request creation can be canceled at any time by pressing the Cancel button.

On the first page of the wizard choose which type of certificate you want to create:

Create a personal OpenPGP key pair

OpenPGP key pairs are created locally, and certified by your friends and acquaintances. There is no central certification authority; instead, every individual creates a personal Web Of Trust by certifying other user's key pairs with his own certificate.

You have to enter a Name, EMail and optional a Comment.

Create a personal X.509 key pair and certification request

X.509 key pairs are created locally, but certified centrally by a certification authority (CA). CAs can certify other CAs, creating a central, hierarchical chain of trust.

The next step in the wizard is to type in your personal data for the certificate. The fields to fill out are:

  • Common Name (CN): Your name;

  • Email address (EMAIL): Your email address; be sure to type this in correctly—this will be the address people will be sending mail to when they use your certificate.

  • Location (L): The town or city in which you live;

  • Organizational unit (OU): The organizational unit you are in (for example, "Logistics");

  • Organization (O): The organization you represent (for example, the company you work for);

  • Country code (C): The two letter code for the country in which you are living (for example, "US");

The next step in the wizard is to select whether to store the certificate in a file or send it directly to a CA. You will have to specify the filename or email address to send the certificate request to.

Revoking a key

A key pair that has expired can be brought back into an operational state as long as you have access to the private key and the passphrase. To reliably render a key unusable you need to revoke it. Revoking is done by adding a special revocation signature to the key.

This revocation signature is stored in a separate file. This file can later be imported into the keyring and is then attached to the key rendering it unusable. Please note that to import this signature to the key no password is required. Therefore you should store this revocation signature in a safe place, usually one that is different from you key pair. It is a good advise to use a place that is detached from your computer, either copy it to an external storage device like an USB stick or print it out.

Kleopatra does not provide a function to create such a revocation signature at any time, but you can do that with the KDE application KGpg by choosing KeysRevoke key and optionally importing the revocation signature to your keyring immediately.

An alternative way of generating a revocation certificate is to use GPG directly from the command line: gpg --output revocation_certificate.asc --gen-revoke your_key. The argument your_key must be a key specifier, either the key ID of your primary keypair or any part of a user ID that identifies your keypair.