Cannot extend expired subkeys

checking the keys stored on Nitrokey with command gpg --card-status I can see that any subkey has expired:

sec#  rsa4096/0x8891383EF89D9F5A  erzeugt: 2020-02-25  verfällt: niemals
ssb>  rsa4096/0x82F7E075D0B3AB32  erzeugt: 2020-02-25  verfällt: 2021-02-24
                                  Kartennummer:0005 00XXXXXX
ssb>  rsa4096/0x27886A4F0A4D017E  erzeugt: 2020-02-25  verfällt: 2021-02-24
                                  Kartennummer:0005 00XXXXXX
ssb>  rsa4096/0x34DD0A449BDDB937  erzeugt: 2020-02-25  verfällt: 2021-02-24
                                  Kartennummer:0005 00XXXXXX

If I try to change expire date I get this error message:

gpg: signing failed: No secret key
gpg: make_keysig_packet failed: No secret key

I tried it using this procedure:

  1. gpg --expert --edit-key 0x8891383EF89D9F5A

  2. Select relevant subkey

  3. expire

  4. 1y

My understanding is that I cannot modify expired subkeys on the security card directly. Instead I must create new subkeys and export these keys to the security card.

Can you please advise how to proceed correctly?


You need the primary key (the [C]ertificate capable key) to make any key signatures. That is, to change anything in the key itself. In the program’s output above the sec# means that this keyring does not have the primary key.

The output of gpg --expert --edit-key 0x8891383EF89D9F5A confirms that [C]ertificate capable key exists:

pub  rsa4096/0x8891383EF89D9F5A
     erzeugt: 2020-02-25  verfällt: niemals     Nutzung: C
     Vertrauen: ultimativ     Gültigkeit: ultimativ

Only the public part of the primary key exists. The secret part doesn’t exist which is confirmed by the sec#.

I have exported the private key using command gpg -a --export-secret-keys 0x8891383EF89D9F5A > private.key.
I verified the generated file private.key, and it shows this at the end of the file:


Then I executed this command:
gpg --import .\private.key

However, gpg -K still shows secret part as missing:

gpg -K
sec#  rsa4096/0x8891383EF89D9F5A 2020-02-25 [C]
  Schl.-Fingerabdruck = 5C70 D64F 418E BADB 77EE  05DE 8891 383E F89D 9F5A
uid                [ ultimativ ] 

I had my subkeys expired recently as well, what I did was the following and it worked:

# display card status for keyid
gpg2 --card-status
# edit key that you specified by it's keyid
gpg2 --edit-key keyid
# select the keys you want to renew
# after selection they should be marked with a *
key 1
key 2
key 3
# renew selected keys

since my cert key was on another nitrokey I needed to plug in that nitrokey as well for the second last step.

and the keys on the card were renewed, I didn’t have to transfer new keys.

edit: I re-tested it a minute ago for all my subkeys and it worked without any issues.

1 Like

What is your output of gpg -K?
Do you get output with the sec#?

this is how my gpg -K output looks like.

no sec# but it specifies the serial number of the other nitrokey it’s on.

Also, I thought Nitrokeys can only store up to three keypairs. In your case this would mean that you’d have three subkeys + the cert key on it which shouldn’t work afaik


  1. What Nitrokey model do you use?
  2. In general extending is a public key operation - one needs to modify public key data, sign it and send to key server / recipients.
  3. The private key never leaves any Nitrokey USB stick by design. What you should get from GPG is a private key stub, referring to the hardware location.
  4. You might need to remove the private key stubs, and recreate them with gpg2 --card-status, with the Nitrokey connected. If you use the same keys on multiple Nitrokey USB sticks, then the GnuPG could be confused, and ask for the originally used device with this key. Here the key stub removal could help.
  5. If you are using Nitrokey Start, please make sure you are on the right Identity.

sec# means that the particular secret key file is completely missing in .gnupg/private-keys-v1.d directory.

sec> means that there is a stub key file in .gnupg/private-keys-v1.d but the actual key data has been moved to (or created in) a smart card, like Nitrokey. The stub key file knows the serial number of the smart card so GnuPG can prompt for a smart card.

1 Like

wait I thought nitrokeys are made to not be capable of just exporting out the private keys?

gpg has its own keyring in $HOME/.gnupg directory (by default). Public keys are in pubring.kbx file and secret keys are in subdirectory private-keys-v1.d. Commands gpg --export (for public keys) and gpg --export-secret-keys (for public and secret keys) export keys from those places in the filesystem. They can’t export anything from a smart card (like Nitrokey).

1 Like