FAQ for GnuPG VS-Desktop Administrators

This is a list of questions concerning the administration of GnuPG VS-Desktop.

See ⇒ the user FAQ for user questions.

Certificates / Public keys

Which S/MIME certificates does GnuPG VS-Desktop trust and how do I add more root certificates?

GnuPG VS-Desktop has its own directory and settings for globally accepted X509 certificates, since according to the approval only certificates from a PKI that meets the requirements of BSI TR-03145 Secure CA operation may be used for VS-NfD.

We ship a configuration that includes some common approved certificate authorities, e.g. "PCA-1-Verwaltung".

For how to add more certificate authorities, please refer to the description How to add a new root CA (german only).

A certificate is not shown as valid despite trust in its root CA

You have trusted a root CA, yet an intermediate CA derived from it is not trusted. This usually occurs when the CRL (Certificate Revocation List) of a certificate cannot be retrieved. This would be the case with offline systems, but also with systems with strong filtering or a proxy.

For error analysis, you can run the following at the command prompt:

gpgsm --with-validation -k "CertificateID"

Then an error cause is named.

If your network access is via a proxy, you must configure this in the registry settings for GnuPG VS-Desktop, see S/MIME proxy Configuration.

If you run GnuPG VS-Desktop on an offline system and want to use S/MIME certificates, you must check the option "Never consult a CRL" in the Kleopatra settings under "S/MIME". In order for this to be VS-NfD compliant, you must then regularly check the revocation lists on another computer with online access.

S/MIME proxy Configuration

… using the configuration of the HTTP proxy as an example. If the certificate revocation lists (CRLs) are not delivered via HTTP, you will find the other relevant setting options for LDAP proxy or for the exclusion of a protocol on the page Registry Settings.

For the HTTP proxy, create the string HttpProxy in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GNU\GnuPG and give it the address of your proxy as a value, with port and/or password if required: FAQ-reg-entry-proxy.png.

Make sure that the entry is created in the correct place in the registry, there are several nodes with the name "GnuPG". To check, you can display which configuration values are taken into account at runtime by entering on the command line:

gpgconf -X | findstr HttpProxy

If possible, you should avoid mixing registry settings and those in Kleopatra: The registry settings are valid globally on the computer, the settings in Kleopatra are valid locally for the user. They are stored in files under %APPDATA%\gnupg, which may take precedence over registry entries. In this case, the entry "http-proxy" would be stored in %APPDATA%\gnupg\dirmngr.conf and the registry value HttpProxy would be ignored if you use the default configuration of GnuPG VS-Desktop. This usually makes sense, as different proxy settings may be necessary at different locations.

In this regard, please note that http-proxy and some other options in the detailed description of registry settings are marked with superscript [user]. They can all be individually adjusted in addition to the registry settings in Kleopatra by the user.

Performance and scripting

Can the encryption of large amounts of data be accelerated?

Encryption on the command line is generally faster than with the graphical frontend Kleopatra. Therefore, for large amounts of data to be encrypted at once, it may be worthwhile to do this on the command line.


Which settings can be changed by users?

Configuration templates are stored under %ProgramData%\GNU\etc\gnupg\dirmngr.conf during installation. These are changed via the registry. In the templates, options of a group may be marked with [force] or not. The [force] marking means that these options cannot be changed by the user. They are greyed out in the Kleopatra configuration, if they are displayed at all.

We have marked the options that a user can change in the default configuration on the page "Verbose Description of VSD Registry Settings" with OPTION[user].