FAQ for GnuPG VS-Desktop Administrators

This is a list of questions concerning the administration of GnuPG VS-Desktop. We have also created FAQs for user questions regarding usage and possible issues.

Certificates / Public keys

Which S/MIME certificates does GnuPG VS-Desktop trust and how do I add more root certificates?

GnuPG VS-Desktop has its own directory and settings for globally accepted X509 certificates, since according to the approval only certificates from a PKI that meets the requirements of BSI TR-03145 Secure CA operation may be used for VS-NfD.

We ship a configuration that includes some common approved certificate authorities, e.g. "PCA-1-Verwaltung".

For how to add more certificate authorities, please refer to the description How to add a new root CA (german only).

A certificate is not shown as valid despite trust in its root CA

You have trusted a root CA, yet an intermediate CA derived from it is not trusted. This usually occurs when the CRL (Certificate Revocation List) of a certificate cannot be retrieved. This would be the case with offline systems, but also with systems with strong filtering or a proxy.

For error analysis, you can run the following at the command prompt:

gpgsm --with-validation -k "CertificateID"

Then an error cause is named.

If your network access is via a proxy, you must configure this in the registry settings for GnuPG VS-Desktop, see S/MIME proxy Configuration.

If you run GnuPG VS-Desktop on an offline system and want to use S/MIME certificates, you must check the option "Never consult a CRL" in the Kleopatra settings under "S/MIME". In order for this to be VS-NfD compliant, you must then regularly check the revocation lists on another computer with online access.

Miscellaneous

Which settings can be changed by users?

Configuration templates are stored under %ProgramData%\GNU\etc\gnupg\dirmngr.conf during installation. These are changed via the registry. In the templates, options of a group may be marked with [force] or not. The [force] marking means that these options cannot be changed by the user. They are greyed out in the Kleopatra configuration, if they are displayed at all.

We have marked the options that a user can change in the default configuration on the page "Verbose Description of VSD Registry Settings" with OPTION[user].

LDAP and GnuPG - Installation and Usage

GnuPG and the GnuPG Desktop variants support the use of LDAP directories with an OpenPGP schema to search for certificates. This enables a very user-friendly distribution of certificates in an organization.

The following documents contain information on setting up and using an LDAP directory with GnuPG: