gnupg: Dirmngr Configuration
3.3 Configuration
=================
Dirmngr makes use of several directories when running in daemon mode:
There are a few configuration files whih control the operation of
dirmngr. By default they may all be found in the current home directory
(⇒option --homedir).
'dirmngr.conf'
This is the standard configuration file read by 'dirmngr' on
startup. It may contain any valid long option; the leading two
dashes may not be entered and the option may not be abbreviated.
This file is also read after a 'SIGHUP' however not all options
will actually have an effect. This default name may be changed on
the command line (⇒option --options). You should backup
this file.
'/etc/gnupg/trusted-certs'
This directory should be filled with certificates of Root CAs you
are trusting in checking the CRLs and signing OCSP Responses.
Usually these are the same certificates you use with the
applications making use of dirmngr. It is expected that each of
these certificate files contain exactly one DER encoded certificate
in a file with the suffix '.crt' or '.der'. 'dirmngr' reads those
certificates on startup and when given a SIGHUP. Certificates which
are not readable or do not make up a proper X.509 certificate are
ignored; see the log file for details.
Applications using dirmngr (e.g. gpgsm) can request these
certificates to complete a trust chain in the same way as with the
extra-certs directory (see below).
Note that for OCSP responses the certificate specified using the
option '--ocsp-signer' is always considered valid to sign OCSP
requests.
'/etc/gnupg/extra-certs'
This directory may contain extra certificates which are preloaded
into the internal cache on startup. Applications using dirmngr
(e.g. gpgsm) can request cached certificates to complete a trust
chain. This is convenient in cases you have a couple intermediate
CA certificates or certificates usually used to sign OCSP
responses. These certificates are first tried before going out to
the net to look for them. These certificates must also be DER
encoded and suffixed with '.crt' or '.der'.
'~/.gnupg/crls.d'
This directory is used to store cached CRLs. The 'crls.d' part
will be created by dirmngr if it does not exists but you need to
make sure that the upper directory exists.
To be able to see what's going on you should create the configure
file '~/gnupg/dirmngr.conf' with at least one line:
log-file ~/dirmngr.log
To be able to perform OCSP requests you probably want to add the
line:
allow-ocsp
To make sure that new options are read and that after the
installation of a new GnuPG versions the installed dirmngr is running,
you may want to kill an existing dirmngr first:
gpgconf --kill dirmngr
You may check the log file to see whether all desired root
certificates have been loaded correctly.