CA Signed PGP Certificates

G5 Cyber Security

5 days ago

TL;DR

No, a traditional Certificate Authority (CA) cannot directly sign a PGP certificate in the same way they sign SSL/TLS certificates. PGP uses a Web of Trust model, not a hierarchical trust system like CAs. However, you can import a CA’s root certificate into your PGP keyring to verify signatures made by keys that have been signed by that CA (or more accurately, by someone the CA trusts). This doesn’t mean the CA ‘signed’ the PGP key itself; it means you trust the CA enough to accept their vouching for other keys.

Understanding the Difference

It’s important to understand how CAs and PGP work.

Certificate Authorities (CAs): Operate on a hierarchical trust model. You trust root CAs, they issue certificates to intermediate CAs, and those issue certificates to websites/services.
PGP: Uses a Web of Trust. You personally decide who you trust, and their signatures vouch for others. There’s no central authority.

Steps to Use a CA Root Certificate with PGP

Obtain the CA Root Certificate: Download the root certificate from the CA’s website in a suitable format (usually .pem or .crt). For example, you might download a Let’s Encrypt root certificate.
Import the Certificate into your PGP Keyring: Use the gpg command to import the certificate.
```
gpg --import ca-root.pem
```
Verify the Import: Check that the certificate has been added to your keyring.
```
gpg --list-keys
```
Look for the CA’s key ID in the output.
Trusting the Certificate (Optional, but Recommended): You can set a trust level for the imported CA root certificate. This tells PGP how much you rely on their vouching for other keys.
```
gpg --edit-trust ca-root.pem
```
Follow the prompts to set the trust level (e.g., ‘ultimate’ if you fully trust the CA).
Verify Signatures: When verifying a PGP signature, GPG will now consider the CA root certificate when checking for valid paths of trust.
```
gpg --verify signed-message.asc
```
If the key that signed the message was signed by someone trusted by the CA (and you’ve imported and trusted the CA’s root certificate), verification should succeed.

Important Considerations

Not a Direct Signature: The CA isn’t directly signing the PGP key. They are vouching for someone who signed it, or for another key that vouches for it.
Web of Trust Still Applies: You still need to exercise your own judgment and verify keys independently as much as possible. Don’t rely solely on CA root certificates.
Revocation: If a CA is compromised, you’ll need to revoke trust in their root certificate within your PGP keyring.
```
gpg --edit-trust ca-root.pem
```
Set the trust level back to ‘never’.