gpgsm --gen-key prompts the user for usage flags for the key:
--------
Possible actions for a RSA key:
(1) sign, encrypt (2) sign (3) encrypt
Your selection? 1
but then if the user selects "N" for "Create self-signed certificate?", the
generated certificate request does not reflect these flags.
a full transcript follows:
0 dkg@alice:/tmp/cdtemp.r5qU5f$ gpgsm --gen-key > example.com.cert-req.pem
gpgsm (GnuPG) 2.1.5; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA (2) Existing key (3) Existing key from card
Your selection? 1
What keysize do you want? (2048)
Requested keysize is 2048 bits
Possible actions for a RSA key:
(1) sign, encrypt (2) sign (3) encrypt
Your selection? 1
Enter the X.509 subject name: CN=example.com
Enter email addresses (end with an empty line):
Enter DNS names (optional; end with an empty line):
example.com
www.example.com
Enter URIs (optional; end with an empty line):
Create self-signed certificate? (y/N)
These parameters are used:
Key-Type: RSA Key-Length: 2048 Key-Usage: sign, encrypt Name-DN: CN=example.com Name-DNS: example.com Name-DNS: www.example.com
Proceed with creation? (y/N) y
Now creating certificate request. This may take a while ...
gpgsm: about to sign the CSR for key: &DE8CC518EEE0BFF0EE9265461E8893EF7517A7DF
gpgsm: certificate request created
Ready. You should now send this request to your CA.
0 dkg@alice:/tmp/cdtemp.r5qU5f$ certtool --crq-info < example.com.cert-req.pem
PKCS #10 Certificate Request Information:
Version: 1
Subject: CN=example.com
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
Modulus (bits 2048): 00:cf:d5:01:1c:6d:3b:ce:2c:b0:97:e2:00:28:3b:31 fd:01:6e:e3:34:e3:23:ec:e4:8e:2f:4b:96:87:66:c2 76:42:b9:61:5a:67:5f:6d:76:67:a0:8e:4c:2d:d9:1b 4a:49:88:27:86:b7:54:db:6c:32:54:95:36:b8:b3:24 3a:25:76:af:8c:ae:ba:37:c0:12:66:cc:82:47:07:25 d2:6e:a1:6d:7a:79:e3:5b:75:75:b8:2d:d9:58:1e:1a 4d:b9:a2:45:b0:de:3f:9b:af:0e:b3:c4:b0:f6:4e:7b 61:27:13:9a:b4:80:f4:94:32:06:e3:b1:d6:1a:ac:d9 98:0e:96:1d:b2:01:20:e3:66:1a:74:5e:20:74:e9:3c 03:c2:0e:6f:76:bd:49:29:28:6d:71:2c:fb:33:b9:19 ac:41:bc:04:97:ce:f4:5b:f1:47:ae:cb:e6:0c:fb:d5 51:44:9d:22:f4:d5:f4:db:91:b7:bf:d6:63:a1:b8:9c fa:7d:42:52:2e:4d:fd:44:48:fc:c8:b8:81:3d:d6:02 8f:76:b4:42:03:1d:32:b9:3e:f4:f1:2d:67:c4:2b:f7 11:34:3f:6c:a3:e8:01:0e:bb:78:4d:e6:3c:1a:a4:71 5c:2f:f5:21:3f:db:fd:fa:2f:3d:3a:90:08:b3:46:0b 39 Exponent (bits 24): 01:00:01
Attributes:
Extensions: Subject Alternative Name (not critical): DNSname: example.com DNSname: www.example.com
Other Information:
Public Key ID:
352ced7498f505e8752ae44699b2398461c7da2d
Self signature: verified
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW
h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC
Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW
GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm
DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n
xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq
hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs
ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN
b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ
hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D
bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk
VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3
k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU=
-----END NEW CERTIFICATE REQUEST-----
0 dkg@alice:/tmp/cdtemp.r5qU5f$