Importing and exporting certificates
Certificates can be disseminated in many ways: as a download from a website, as an attachment to an email, and so on. In these cases, you end up with a certificate contained in a file. To use that, you have to import it into the certificate store with:
$ sq cert import $FILE
This will try to import the certificate inside $FILE
. If $FILE
is skipped, sq cert import
expects the certificate on STDIN
:
$ cat $FILE | sq cert import
Importing certificates from a file has no influence on any implied authenticity. It's imported into the certificate store as-is, without attesting to its authenticity. To attest to its authenticity, use sq pki link add
.
Certificates can be exported from the cert store with:
$ sq cert export $QUERY
where $QUERY
can consist of:
--cert $FPR
– a certificate designated by its fingerprint--cert-email $EMAIL
– all certificates containing a user id matching$EMAIL
--cert-userid $USERID
– all certificates containing a user id$USERID
--cert-domain $DOMAIN
– all certificates containing a user id with an email address from domain$DOAMIN
--cert-grep $PATTERN
– all certificates containing a user id matching$PATTERN
These queries can be combined, and sq cert export
will then export any valid certificates matching any of these queries. Invalid certificates, such as those using outdated hash functions in signatures, are excluded. You can work around this restriction by passing --policy-as-of
using a date which pre-dates the deprecation date of said function.
$ sq cert export --cert-email alice@example.com
$ sq cert export --cert EE99C48D11A4BE940569C4B3919EA6F609043A04 --cert-domain example.com
The result of the query is printed to STDOUT
.
A special query is --all
: This exports all certificates, even the invalid ones.
sq cert export
will not export non-exportable signatures, including components bound by these signatures. Passing --local
will include these components — this feature is meant for backups, or if you want to synchronize between different devices or locations (like a USB stick).
$ sq cert export --local --all
Import a certificate into GnuPG
To import a cert into the GnuPG Keyring, export it as above and pipe it directly into the gpg --import
command:
$ sq cert export alice@example.com | gpg --import