Extending GPG Subkey Expiration on YubiKey

I’m always forgetting how to do that, so I’ll write one another step by step guide how to extend expiration of subkeys in yubikey.

First you need

Master key available locally (not on YubiKey - get it from back-up that you have, don’t you?)

Steps

1. Verify your keys

Plug in the YubiKey and check the current state:

gpg --card-status

You should see:

sec — master key (local)
ssb> — subkeys on YubiKey (the > indicates the key is on a smartcard)

The full fingerprints are listed under:

Signature key — signing subkey
Encryption key — encryption subkey
Authentication key — authentication subkey

2. Get master key fingerprint

gpg -K --with-subkey-fingerprints

Copy the full fingerprint of the master key.

3. Extend subkey expiration

Extend all three subkeys at once:

gpg --quick-set-expire <MASTER_FULL_FP> 1y <SIGN_FULL_FP> <ENC_FULL_FP> <AUTH_FULL_FP>

Or extend all subkeys (including old/dead ones) with a wildcard:

gpg --quick-set-expire <MASTER_FULL_FP> 1y '*'

4. Verify the new expiration

gpg --card-status

Confirm the ssb> subkeys show the updated expiry date.

5. Export updated public key

gpg --export --armor <MASTER_KEY_ID> > pubkey.asc

The subkey expiration dates are stored in the public key metadata. Even though the key material hasn’t changed, the updated expiry needs to be distributed.

Remember to upload it to your:

git servers
keyservers (gpg --send-keys <MASTER_KEY_ID>)
any other service that verifies signatures

The expiry metadata changed, so update your offline backup of the public key.

Additionally

pass requires no changes — it uses the same encryption subkey, just with a new expiry.
Git signing requires no local config changes — git uses the same key ID.
Only the public key export/upload is needed to keep external services working.