Certificate Options - Using the GNU Privacy Guard

Next: Input and Output, Previous: Configuration Options, Up: GPGSM Options

4.2.2 Certificate related options

--enable-policy-checks
--disable-policy-checks: By default policy checks are enabled. These options may be used to change it.
--enable-crl-checks
--disable-crl-checks: By default the CRL checks are enabled and the DirMngr is used to check for revoked certificates. The disable option is most useful with an off-line network connection to suppress this check.
--enable-trusted-cert-crl-check
--disable-trusted-cert-crl-check: By default the CRL for trusted root certificates are checked like for any other certificates. This allows a CA to revoke its own certificates voluntary without the need of putting all ever issued certificates into a CRL. The disable option may be used to switch this extra check off. Due to the caching done by the Dirmngr, there won't be any noticeable performance gain. Note, that this also disables possible OCSP checks for trusted root certificates. A more specific way of disabling this check is by adding the “relax” keyword to the root CA line of the trustlist.txt
--force-crl-refresh: Tell the dirmngr to reload the CRL for each request. For better performance, the dirmngr will actually optimize this by suppressing the loading for short time intervalls (e.g. 30 minutes). This option is useful to make sure that a fresh CRL is available for certificates hold in the keybox. The suggested way of doing this is by using it along with the option --with-validation for a key listing command. This option should not be used in a configuration file.
--enable-ocsp
--disable-ocsp: Be default OCSP checks are disabled. The enable option may be used to enable OCSP checks via Dirmngr. If CRL checks are also enabled, CRLs will be used as a fallback if for some reason an OCSP request won't succeed. Note, that you have to allow OCSP requests in Dirmngr's configuration too (option --allow-ocsp and configure dirmngr properly. If you don't do so you will get the error code ‘Not supported’.
--auto-issuer-key-retrieve: If a required certificate is missing while validating the chain of certificates, try to load that certificate from an external location. This usually means that Dirmngr is employed t search for the certificate. Note that this option makes a "web bug" like behavior possible. LDAP server operators can see which keys you request, so by sending you a message signed by a brand new key (which you naturally will not have on your local keybox), the operator can tell both your IP address and the time when you verified the signature.
--validation-model name: This option changes the default validation model. The only possible values are "shell" (which is the default) and "chain" which forces the use of the chain model. The chain model is also used if an option in the trustlist.txt or an attribute of the certificate requests it. However the standard model (shell) is in that case always tried first.