manpagez: man pages & more
info gnupg
Home | html | info | man

File: gnupg.info,  Node: Dirmngr ISVALID,  Next: Dirmngr CHECKCRL,  Prev: Dirmngr LOOKUP,  Up: Dirmngr Protocol

3.6.2 Validate a certificate using a CRL or OCSP
------------------------------------------------

       ISVALID [--only-ocsp] [--force-default-responder] CERTID|CERTFPR

   Check whether the certificate described by the CERTID has been
revoked.  Due to caching, the Dirmngr is able to answer immediately in
most cases.

   The CERTID is a hex encoded string consisting of two parts, delimited
by a single dot.  The first part is the SHA-1 hash of the issuer name
and the second part the serial number.

   Alternatively the certificate's SHA-1 fingerprint CERTFPR may be
given in which case an OCSP request is done before consulting the CRL.
If the option '--only-ocsp' is given, no fallback to a CRL check will be
used.  If the option '--force-default-responder' is given, only the
default OCSP responder will be used and any other methods of obtaining
an OCSP responder URL won't be used.

Common return values are:

'GPG_ERR_NO_ERROR (0)'
     This is the positive answer: The certificate is not revoked and we
     have an up-to-date revocation list for that certificate.  If OCSP
     was used the responder confirmed that the certificate has not been
     revoked.

'GPG_ERR_CERT_REVOKED'
     This is the negative answer: The certificate has been revoked.
     Either it is in a CRL and that list is up to date or an OCSP
     responder informed us that it has been revoked.

'GPG_ERR_NO_CRL_KNOWN'
     No CRL is known for this certificate or the CRL is not valid or out
     of date.

'GPG_ERR_NO_DATA'
     The OCSP responder returned an "unknown" status.  This means that
     it is not aware of the certificate's status.

'GPG_ERR_NOT_SUPPORTED'
     This is commonly seen if OCSP support has not been enabled in the
     configuration.

   If DirMngr has not enough information about the given certificate
(which is the case for not yet cached certificates), it will inquire the
missing data:

       S: INQUIRE SENDCERT 
       C: D 
       C: END

   A client should be aware that DirMngr may ask for more than one
certificate.

   If Dirmngr has a certificate but the signature of the certificate
could not been validated because the root certificate is not known to
dirmngr as trusted, it may ask back to see whether the client trusts
this the root certificate:

       S: INQUIRE ISTRUSTED 
       C: D 1
       C: END

   Only this answer will let Dirmngr consider the certificate as valid.

© manpagez.com 2000-2024
Individual documents may contain additional copyright information.