How do I act as a CA?

I saw that the X.509 certificates require a CA to certify them. However I would like to be my own CA. I assumed that CAs are people with a copy of GPG4Win on their PCs, and that they just used their copy of the software to certify other certificates instead of making their own.

So after generating a pk10 request for certification for an X.509 cert, I’m trying to figure out how to certify it myself. Theoretically the software GPG4Win can perform the act of responding to the pk10 request for certification, but I don’t know how to do it. How do I certify my own X.509 cert?

Hi AJ,

there are two common “trust” models:
a) the web of trust, usually used by OpenPGP certificates
b) hierarchical trust, usually used by CMS /X.509

Of course you can run you own CA and set your own root ca.
The crypto engine within Gpg4win has technical capability to do the necessary
operations for running a CA, but this is not supported by frontends.
If you are a technical person ask on the gnupg-users@ oder -devel mailinglist
to gather more information.

Best Regards,
ps.: Flattr Gpg4win at,
if you appreciate this answer and my work within the Gpg4win Initiative.

Hello AJ,
if You want to have a real Certificate, not a self-signed, I would advise to use a public CA. Most of them cost money and are not very trustworthy in my opinion. From my point of view is a trustworthy organisation and they give You a certificate for free.
So give it a try.

There’s many EXE files in the GPG4Win folder. Which one should I run to generate an x.509 keypair? Does it have the ability to generate an x.509 keypair in response to an x.509 request file? And what command line commands/switches would I use with this EXE file to accomplish this?