Importing and exporting certificates

Certificates can be disseminated in many ways: as a download from a website, as an attachment to an email, and so on. In these cases, you end up with a certificate contained in a file. To use that, you have to import it into the certificate store with:

$ sq cert import $FILE

This will try to import the certificate inside $FILE. If $FILE is skipped, sq cert import expects the certificate on STDIN:

$ cat $FILE | sq cert import

Importing certificates from a file has no influence on any implied authenticity. It's imported into the certificate store as-is, without attesting to its authenticity. To attest to its authenticity, use sq pki link add.

Certificates can be exported from the cert store with:

$ sq cert export $QUERY

where $QUERY can consist of:

  • --cert $FPR – a certificate designated by its fingerprint
  • --cert-email $EMAIL – all certificates containing a user id matching $EMAIL
  • --cert-userid $USERID – all certificates containing a user id $USERID
  • --cert-domain $DOMAIN – all certificates containing a user id with an email address from domain $DOAMIN
  • --cert-grep $PATTERN – all certificates containing a user id matching $PATTERN

These queries can be combined, and sq cert export will then export any valid certificates matching any of these queries. Invalid certificates, such as those using outdated hash functions in signatures, are excluded. You can work around this restriction by passing --policy-as-of using a date which pre-dates the deprecation date of said function.

$ sq cert export --cert-email alice@example.com
$ sq cert export --cert EE99C48D11A4BE940569C4B3919EA6F609043A04 --cert-domain example.com

The result of the query is printed to STDOUT.

A special query is --all: This exports all certificates, even the invalid ones.

sq cert export will not export non-exportable signatures, including components bound by these signatures. Passing --local will include these components — this feature is meant for backups, or if you want to synchronize between different devices or locations (like a USB stick).

$ sq cert export --local --all

Import a certificate into GnuPG

To import a cert into the GnuPG Keyring, export it as above and pipe it directly into the gpg --import command:

$ sq cert export alice@example.com | gpg --import