You can do this, but this is not necessarily a good practice.
First, when you say "SSL certificate", you probably mean "X.509 certificate." SSL / TLS uses X.509 certificates most of the time, but it can also use OpenPGP certificates (as far as I know, only GnuTLS supports them).
Please note that I also use the expression "OpenPGP certificate". Most people call them PGP "public keys", but they are actually certificates: they are a combination of a public key, an identifier and some attributes signed by other objects that attach their signature to them to form a common certificate. Strictly speaking, this not just a public key.
The main difference between an X.509 certificate and a PGP certificate is that X.509 can have only one signature (issuer signature), while several signatures can be added to a PGP certificate. (The PGP model can be used for a hierarchical model similar to PKI, while the PKI model cannot be used to process the Web-of-Trust model.)
This Java code demonstrates how to "convert" a set of PGP keys to a self-signed X.509 certificate. Basically, you can also turn it into a CSR to get an X.509 certificate from CA. Whether this is a good idea is another matter.
First, it is usually recommended to recreate new key pairs once in a while. This is usually one of the reasons X.509 certificates used for SSL have an expiration date (PGP signatures can also be time limited).
You will also effectively place all your eggs in one basket. If one of the keys is cracked, both the X.509 and PGP certificates will be compromised.
More importantly, I thought that the wrong practice was to reuse the same keys for signing and encryption : using them for two different applications (SSL / TLS and GnuPG) only worsen the situation.
Bruno
source share