GnuPG VS-Desktop has its own directory and settings for globally accepted X509 certificates, since according to the approval only certificates from a PKI that meets the requirements of BSI TR-03145 Secure CA operation may be used for VS-NfD.

We ship a configuration that includes some common approved certificate authorities, e.g. "PCA-1-Verwaltung".

For how to add more certificate authorities, please refer to the description How to add a new root CA (german only).

You have trusted a root CA, yet an intermediate CA derived from it is not trusted. This usually occurs when the CRL (Certificate Revocation List) of a certificate cannot be retrieved. This would be the case with offline systems, but also with systems with strong filtering or a proxy.

For error analysis, you can run the following at the command prompt:

gpgsm --with-validation -k "CertificateID"

Then an error cause is named.

If your network access is via a proxy, you must configure this in the registry settings for GnuPG VS-Desktop, see S/MIME proxy Configuration.

If you run GnuPG VS-Desktop on an offline system and want to use S/MIME certificates, you must check the option "Never consult a CRL" in the Kleopatra settings under "S/MIME". In order for this to be VS-NfD compliant, you must then regularly check the revocation lists on another computer with online access.

Configuration templates are stored under %ProgramData%\GNU\etc\gnupg\dirmngr.conf during installation. These are changed via the registry. In the templates, options of a group may be marked with [force] or not. The [force] marking means that these options cannot be changed by the user. They are greyed out in the Kleopatra configuration, if they are displayed at all.

We have marked the options that a user can change in the default configuration on the page "Detailed Guide to VSD Registry Settings" with OPTION^[user].

GnuPG and the GnuPG Desktop variants support the use of LDAP directories with an OpenPGP schema to search for certificates. This enables a very user-friendly distribution of certificates in an organization.

The following documents contain information on setting up and using an LDAP directory with GnuPG:

• "How to use LDAP with GnuPG" describes, among other things, how to set up an OpenLDAP server under Linux and provides further information on using LDAP with GnuPG.
• "How to install an LDS for use with GnuPG (VS-)Desktop®" describes the setup of a Microsoft Windows LDS as a key server and the client configuration for GnuPG (VS-)Desktop®.