FreeKB - Linux Commands gpg (create a public / private key pair)
Linux Commands - gpg (create a public / private key pair)

A trusted certificate is one that is purchased from a trusted certificate authority (CA), such as Internet facing production applications should use a certificate from a trusted CA. For non-production applications, a self-signed certificate can be used.  Applications, such as a web browser, will complain when a self-signed certificate is used.

The following files will be created:

Type of file
Private Key
Public Certificate


Use  apt-get or yum to install GNU privacy guard (GPG).

[root@server1 ~]# apt-get install gnupg
[root@server1 ~]# yum install gnupg


Creating the public certificate and private key

Use the gpg --gen-key command to create a public certificate and private key. Select the kind of key you want:

[root@server1 ~]# gpg --gen-key
Please select what kind of key you want:
  (1) RSA and RSA (default)
  (2) DSA and Elgamal
  (3) DSA (sign only)
  (4) RSA (sign only)
Your selection?


Select the key size:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? 


Select when the key will expire:

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? 


Enter your first and last name:

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <>"

Real name: 


Enter your email address:

Email address:


Comments are option, and will be visible in the signature.



Type O if everything is OK.

You selected this USER-ID:
    "John Doe <>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? 


Enter a passphrase:

You need a Passphrase to protect your secret key.

gpg: gpg-agent is not available in this session
Enter passphrase:


Use the operating system to generate random bits:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 188 more bytes)


After enough entropy, the public certificate and private key will be created.

gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 26BB0272 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/26BB0272 2017-01-22
      Key fingerprint = BB37 83F2 5E3A 7A4C 6C84  F047 D97B DD4E 38BB 2082
uid                  John Doe <>
sub   2048R/2A79C284 2017-01-22


The keyring

The public / private key pair will be stored in a file called pubring.gpg. The --list-keys option can be used to view the location of the pubring.gpg file. The cat command cannot be used to view the contents of the pubring.gpg file. Instead, GPG needs to be used.

[root@server1 ~]# gpg --list-keys
pub  2048R/0127ECA5 2017-01-26
uid                 John Doe <>
sub  2048R/6FED1269 2017-01-26


Public certificate

Use the --export option to view the public certificate. The --armor option displays the output in ASCII format.

[root@server1 ~]# gpg --armor --export
. . .


Use redirection to create a file that contains the public certificate.

[root@server1 ~]# gpg --armor --export >


Certificate server

If you have a PKI server that is used to store and distribute public certificates, you can use the --keyserver and --send-keys options to upload the public certificate to the PKI server.

[root@server1 ~]# gpg --keyserver --send-keys


Import keys

The --import option can be used to add keys to the keyring.

[root@server1 ~]# gpg --import public.key



The --gen-revoke option can be used to revoke keys associated with a particular email. This will produce some output, which you should redirect to a file, such as revocation.gpg.

[root@server1 ~]# gpg --gen-revoke > revocation.gpg


Import the revocation.gpg file into your keyring.

[root@server1 ~]# gpg --import revocation.gpg


Listing the keyring, the key will now be revoked.

[root@server1 ~]# gpg --list-keys
pub  2048R/0127ECA5 2017-01-26 [revoked: 2017-01-29]
uid                 John Doe <>


If there is a certificate server, update the certificate server to have the newly revoked keyring.

[root@server1 ~]# gpg --keyserver --send-keys


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 52fb5 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |