How to set a custom creation date for OpenPGP certificates?

1

Can I create an OpenPGP Certificate containing a custom creation (start validity) Date?

I need to create an OpenPGP certificate today, but made it valid from next week only (for example).

Using tools like "Kleopatra", I'm able to set the "expiry date" only.

Bart

Posted 2016-02-26T14:43:20.307

Reputation: 11

2Why would you want this? Also, you could wait a week before exporting the public key, so none is able to use it untill then. Or create the key next week? – BadSkillz – 2016-02-26T15:22:45.717

2I think setting your computer's clock forward one week will do the trick. – Neil Smithline – 2016-02-26T15:27:12.943

1PGP doesn't use "certificates". Do you mean a public/private key pair? ("Certificate" is often the term used for the signed X.509 public key portion.) – a CVn – 2016-02-26T15:43:52.813

Thank you all! Every X days we need to create our keys, share PublicKey with our partner and agree on the date we will start to use the it. The time between we create the Keys and our Partner import it in its system could be log. So we need a kind of "StartValidityDate". If i understand well, we have 2 ways:

  1. change the date of O.S. so the "Creation Date" will be also the "StartValidityDate" (but we will not able to change it)
  2. when we send our PublicKey to our partner, we will send also the "StartValidityDate" and our partner has to manage the PublicKey and the StartDate. Right? Thanks
    3. < – Bart – 2016-02-29T08:37:43.237

Answers

4

Keys and Certificates

First of all, OpenPGP has a different wording than X.509. What you describe as certificates is usually called "key" in OpenPGP, while only signatures on other keys are called a certification.

"Not valid before"

Furthermore, there is no defined "not valid before" parameter. There is the creation timestamp, but there is no defined behavior for dates in the future -- implementations of OpenPGP might issue a warning, completely deny using the key or simply ignore the fact at all.

Faking the Creation Time

GnuPG does not know an option to set the creation time, but the system time is used. The easiest and most general way is to change the system time to the desired date.

For Linux, there is the very helpful tool faketime, which can be used to start other commands with arbitrary dates:

faketime '2008-12-24 08:15:42' gpg2 --gen-key

You might have to terminate gpg-agent so it gets restarted, if it does not see (but use) the faked time.

GnuPG also has a --faketime parameter, but it does only work if --debug is also set, which requires some compile options that are not always applied for production builds.

Jens Erat

Posted 2016-02-26T14:43:20.307

Reputation: 14 141

Perfect. faketime is exactly what I was looking for. In Arch Linux, the command is part of libfaketime: sudo pacman -S libfaketime – friederbluemle – 2018-12-04T08:45:13.173

Asked: 2016-02-26T14:43:20.307

Viewed: 795 times

Active: 2016-02-26T18:07:16.537