GnuPG VS-Desktop has its own directory and settings for globally accepted X509 certificates, since according to the approval only certificates from a PKI that meets the requirements of BSI TR-03145 Secure CA operation may be used for VS-NfD.

We ship a configuration that includes some common approved certificate authorities, e.g. "PCA-1-Verwaltung".

For how to add more certificate authorities, please refer to the description How to add a new root CA (german only).

You have trusted a root CA, yet an intermediate CA derived from it is not trusted. This usually occurs when the CRL (Certificate Revocation List) of a certificate cannot be retrieved. This would be the case with offline systems, but also with systems with strong filtering or a proxy.

For error analysis, you can run the following at the command prompt:

gpgsm --with-validation -k "CertificateID"

Then an error cause is named.

If your network access is via a proxy, you must configure this in the registry settings for GnuPG VS-Desktop, see S/MIME proxy Configuration.

If you run GnuPG VS-Desktop on an offline system and want to use S/MIME certificates, you must check the option "Never consult a CRL" in the Kleopatra settings under "S/MIME". In order for this to be VS-NfD compliant, you must then regularly check the revocation lists on another computer with online access.

Configuration templates are stored under %ProgramData%\GNU\etc\gnupg\dirmngr.conf during installation. These are changed via the registry. In the templates, options of a group may be marked with [force] or not. The [force] marking means that these options cannot be changed by the user. They are greyed out in the Kleopatra configuration, if they are displayed at all.

We have marked the options that a user can change in the default configuration on the page "Verbose Description of VSD Registry Settings" with OPTION^[user].