Using Kleopatra, YubiKey, and PGP - How do I certify an imported public key?

I’m new to the world of PGP, Kleopatra, and YubiKey. Here’s my scenario. I created a new key pair in Kleopatra. My intent is to transfer the key to my YubiKey (my understanding is the private key gets transferred) since Yubico says that if I generate the PGP key pair on the YubiKey itself that I wouldn’t be able to export it to other YubiKeys. Well, my need is to transfer the same key to duplicate YubiKeys.

The creation of the keypairs in Kleopatra went well - did them in Ubuntu. In fact, I created two different ones – one to keep as a “hot” software key; the other as a “cold” hardware key. Certificates showed “certified” for both.

Next, I loaded the newly-created cold secret key onto my Yubikey following the instructions given on Yubico’s site. That seemed to go fine, as well. I then exported my two secret keys (.asc) + an export of my cold public key (.asc). to a thumb drive for export into my Windows machine. Here’s the oddity.

I started Kleopatra in Windows, imported my cold public key, and plugged in my YubiKey. I’m making the assumption that the secret key is already on the YubiKey (info shows up under “Manage Smartcards” section of Kleo) and the public key is imported as a separate certificate. The two pieces of a puzzle. I then ran a test. My thought process was that I could encrypt a document using the public key and then run a test to decrypt it using the physical Yubikey. However, my public key shows as “not certified” after importing. When I try to encrypt, I thought I’d be able to select my cold public cert in the “Encrypt for me” section. But it doesn’t give me that option. Ironically, if I add my other hot secret key to Kleopatra, it will select it as the option under “Encrypt for me”.

What am I missing here? How do I certify my public key that I imported into Kleopatra? Everything showed up as certified when I created it on Ubuntu. Why doesn’t that information travel with the key, even if you’re only grabbing the public part of it? Again, this is all new to me, so I’m learning as I go and am ignorant to a lot of things on this subject. Any suggestions would be helpful. Thanks in advance.

Hi Tom,

you may need to mark a public key as ultimately trusted when you import the secret key. (The details here are that trusting a key to certify other keys is different from having access to the secret key part. During creating, this trust is set automatically, during import of a secret key, it is not.)