manpagez: man pages & more
info gnupg
Home | html | info | man 

File: gnupg.info,  Node: Certificate Options,  Next: Input and Output,  Prev: Configuration Options,  Up: GPGSM Options

5.2.2 Certificate related options
---------------------------------

'--enable-policy-checks'
'--disable-policy-checks'
     By default policy checks are enabled.  These options may be used to
     change it.

'--enable-crl-checks'
'--disable-crl-checks'
     By default the CRL checks are enabled and the DirMngr is used to
     check for revoked certificates.  The disable option is most useful
     with an off-line network connection to suppress this check and also
     to avoid that new certificates introduce a web bug by including a
     certificate specific CRL DP. The disable option also disables an
     issuer certificate lookup via the authorityInfoAccess property of
     the certificate; the '--enable-issuer-key-retrieve' can be used to
     make use of that property anyway.

'--enable-trusted-cert-crl-check'
'--disable-trusted-cert-crl-check'
     By default the CRL for trusted root certificates are checked like
     for any other certificates.  This allows a CA to revoke its own
     certificates voluntary without the need of putting all ever issued
     certificates into a CRL. The disable option may be used to switch
     this extra check off.  Due to the caching done by the Dirmngr,
     there will not be any noticeable performance gain.  Note, that this
     also disables possible OCSP checks for trusted root certificates.
     A more specific way of disabling this check is by adding the
     "relax" keyword to the root CA line of the 'trustlist.txt'

'--force-crl-refresh'
     Tell the dirmngr to reload the CRL for each request.  For better
     performance, the dirmngr will actually optimize this by suppressing
     the loading for short time intervals (e.g.  30 minutes).  This
     option is useful to make sure that a fresh CRL is available for
     certificates hold in the keybox.  The suggested way of doing this
     is by using it along with the option '--with-validation' for a key
     listing command.  This option should not be used in a configuration
     file.

'--enable-issuer-based-crl-check'
     Run a CRL check even for certificates which do not have any CRL
     distribution point.  This requires that a suitable LDAP server has
     been configured in Dirmngr and that the CRL can be found using the
     issuer.  This option reverts to what GnuPG did up to version
     2.2.20.  This option is in general not useful.

'--enable-ocsp'
'--disable-ocsp'
     By default OCSP checks are disabled.  The enable option may be used
     to enable OCSP checks via Dirmngr.  If CRL checks are also enabled,
     CRLs will be used as a fallback if for some reason an OCSP request
     will not succeed.  Note, that you have to allow OCSP requests in
     Dirmngr's configuration too (option '--allow-ocsp') and configure
     Dirmngr properly.  If you do not do so you will get the error code
     'Not supported'.

'--auto-issuer-key-retrieve'
     If a required certificate is missing while validating the chain of
     certificates, try to load that certificate from an external
     location.  This usually means that Dirmngr is employed to search
     for the certificate.  Note that this option makes a "web bug" like
     behavior possible.  LDAP server operators can see which keys you
     request, so by sending you a message signed by a brand new key
     (which you naturally will not have on your local keybox), the
     operator can tell both your IP address and the time when you
     verified the signature.  Note that if CRL checking is not disabled
     issuer certificates are retrieved in any case using the caIssuers
     authorityInfoAccess method.

'--validation-model NAME'
     This option changes the default validation model.  The only
     possible values are "shell" (which is the default), "chain" which
     forces the use of the chain model and "steed" for a new simplified
     model.  The chain model is also used if an option in the
     'trustlist.txt' or an attribute of the certificate requests it.
     However the standard model (shell) is in that case always tried
     first.

'--ignore-cert-extension OID'
     Add OID to the list of ignored certificate extensions.  The OID is
     expected to be in dotted decimal form, like '2.5.29.3'.  This
     option may be used more than once.  Critical flagged certificate
     extensions matching one of the OIDs in the list are treated as if
     they are actually handled and thus the certificate will not be
     rejected due to an unknown critical extension.  Use this option
     with care because extensions are usually flagged as critical for a
     reason.


© manpagez.com 2000-2025
Individual documents may contain additional copyright information.