1DIRMNGR(8)                   GNU Privacy Guard 2.2                  DIRMNGR(8)
2
3
4

NAME

6       dirmngr - GnuPG's network access daemon
7

SYNOPSIS

9       dirmngr [options] command [args]
10
11

DESCRIPTION

13       Since version 2.1 of GnuPG, dirmngr takes care of accessing the OpenPGP
14       keyservers.  As with previous versions it is also used as a server  for
15       managing  and downloading certificate revocation lists (CRLs) for X.509
16       certificates, downloading X.509 certificates, and providing  access  to
17       OCSP  providers.   Dirmngr  is invoked internally by gpg, gpgsm, or via
18       the gpg-connect-agent tool.
19
20
21
22
23
24

COMMANDS

26       Commands are not distinguished from options except for  the  fact  that
27       only one command is allowed.
28
29
30       --version
31              Print  the program version and licensing information.  Note that
32              you cannot abbreviate this command.
33
34
35       --help, -h
36              Print a usage message summarizing the most  useful  command-line
37              options.  Note that you cannot abbreviate this command.
38
39
40       --dump-options
41              Print  a  list of all available options and commands.  Note that
42              you cannot abbreviate this command.
43
44
45       --server
46              Run in server mode and wait for commands on the stdin.  The  de‐
47              fault  mode is to create a socket and listen for commands there.
48              This is only used for testing.
49
50
51       --daemon
52              Run in background daemon mode  and  listen  for  commands  on  a
53              socket.   This  is  the  way dirmngr is started on demand by the
54              other GnuPG components.  To force starting dirmngr it is in gen‐
55              eral best to use gpgconf --launch dirmngr.
56
57
58       --supervised
59              Run  in the foreground, sending logs to stderr, and listening on
60              file descriptor 3, which must already be bound  to  a  listening
61              socket.  This is useful when running under systemd or other sim‐
62              ilar process supervision schemes.  This option is not  supported
63              on Windows.
64
65
66       --list-crls
67              List  the  contents of the CRL cache on stdout. This is probably
68              only useful for debugging purposes.
69
70
71       --load-crl file
72              This command requires a filename as additional argument, and  it
73              will make Dirmngr try to import the CRL in file into it's cache.
74              Note, that this is only possible if Dirmngr is able to  retrieve
75              the  CA's  certificate directly by its own means.  In general it
76              is better to use gpgsm's --call-dirmngr loadcrl filename command
77              so that gpgsm can help dirmngr.
78
79
80       --fetch-crl url
81              This command requires an URL as additional argument, and it will
82              make dirmngr try to retrieve and import the CRL  from  that  url
83              into  it's cache.  This is mainly useful for debugging purposes.
84              The dirmngr-client provides the same feature for a running dirm‐
85              ngr.
86
87
88       --shutdown
89              This  commands  shuts down an running instance of Dirmngr.  This
90              command has currently no effect.
91
92
93       --flush
94              This command removes all CRLs from Dirmngr's cache.  Client  re‐
95              quests will thus trigger reading of fresh CRLs.
96
97

OPTIONS

99       Note  that all long options with the exception of --options and --home‐
100       dir may also be given in the configuration file after stripping off the
101       two leading dashes.
102
103
104
105       --options file
106              Reads  configuration  from file instead of from the default per-
107              user configuration file.   The  default  configuration  file  is
108              named ‘dirmngr.conf’ and expected in the home directory.
109
110
111       --homedir dir
112              Set  the name of the home directory to dir.  This option is only
113              effective when used on the command line.  The default is the di‐
114              rectory  named ‘.gnupg’ directly below the home directory of the
115              user unless the environment variable GNUPGHOME has been  set  in
116              which  case  its  value  will  be  used.  Many kinds of data are
117              stored within this directory.
118
119
120
121       -v
122
123       --verbose
124              Outputs additional information while running.  You can  increase
125              the  verbosity  by  giving  several verbose commands to dirmngr,
126              such as -vv.
127
128
129
130       --log-file file
131              Append all logging output to file.  This is very helpful in see‐
132              ing  what  the  agent  actually does.  Use ‘socket://’ to log to
133              socket.
134
135
136       --debug-level level
137              Select the debug level for investigating problems.  level may be
138              a numeric value or by a keyword:
139
140
141              none   No  debugging at all.  A value of less than 1 may be used
142                     instead of the keyword.
143
144              basic  Some basic debug messages.  A value between 1 and  2  may
145                     be used instead of the keyword.
146
147              advanced
148                     More verbose debug messages.  A value between 3 and 5 may
149                     be used instead of the keyword.
150
151              expert Even more detailed messages.  A value between 6 and 8 may
152                     be used instead of the keyword.
153
154              guru   All  of  the  debug messages you can get. A value greater
155                     than 8 may be used instead of the keyword.  The  creation
156                     of  hash  tracing files is only enabled if the keyword is
157                     used.
158
159       How these messages are mapped to the  actual  debugging  flags  is  not
160       specified  and may change with newer releases of this program. They are
161       however carefully selected to best aid in debugging.
162
163
164       --debug flags
165              Set debug flags.  All flags are or-ed and flags may be given  in
166              C  syntax  (e.g.  0x0042)  or  as a comma separated list of flag
167              names.  To get a list of all supported  flags  the  single  word
168              "help"  can  be  used.  This option is only useful for debugging
169              and the behavior may change at any time without notice.
170
171
172       --debug-all
173              Same as --debug=0xffffffff
174
175
176       --tls-debug level
177              Enable debugging of the TLS layer at level.  The details of  the
178              debug  level  depend  on the used TLS library and are not set in
179              stone.
180
181
182       --debug-wait n
183              When running in server mode, wait n seconds before entering  the
184              actual  processing  loop  and print the pid.  This gives time to
185              attach a debugger.
186
187
188       --disable-check-own-socket
189              On some platforms dirmngr is able to detect the removal  of  its
190              socket file and shutdown itself.  This option disable this self-
191              test for debugging purposes.
192
193
194       -s
195       --sh
196       -c
197       --csh  Format the info output in daemon mode for use with the  standard
198              Bourne  shell respective the C-shell. The default is to guess it
199              based on the environment variable SHELL which is in  almost  all
200              cases sufficient.
201
202
203       --force
204              Enabling  this  option  forces  loading of expired CRLs; this is
205              only useful for debugging.
206
207
208       --use-tor
209       --no-use-tor
210              The option --use-tor switches Dirmngr and thus GnuPG into  ``Tor
211              mode''  to  route  all network access via Tor (an anonymity net‐
212              work).  Certain other features are disabled in this  mode.   The
213              effect of --use-tor cannot be overridden by any other command or
214              even by reloading dirmngr.  The use of --no-use-tor disables the
215              use  of  Tor.   The  default is to use Tor if it is available on
216              startup or after reloading dirmngr.  The test on the  availabil‐
217              ity  of Tor is done by trying to connect to a SOCKS proxy at ei‐
218              ther port 9050 or 9150; if another type of proxy is listening on
219              one of these ports, you should use --no-use-tor.
220
221
222       --standard-resolver
223              This option forces the use of the system's standard DNS resolver
224              code.  This is mainly used for debugging.  Note that on  Windows
225              a  standard  resolver is not used and all DNS access will return
226              the error ``Not Implemented'' if this  option  is  used.   Using
227              this  together with enabled Tor mode returns the error ``Not En‐
228              abled''.
229
230
231       --recursive-resolver
232              When possible use a recursive resolver instead  of  a  stub  re‐
233              solver.
234
235
236       --resolver-timeout n
237              Set  the timeout for the DNS resolver to N seconds.  The default
238              are 30 seconds.
239
240
241       --connect-timeout n
242
243       --connect-quick-timeout n
244              Set the timeout for HTTP and generic TCP connection attempts  to
245              N  seconds.   The  value set with the quick variant is used when
246              the --quick option has been given to  certain  Assuan  commands.
247              The  quick  value  is capped at the value of the regular connect
248              timeout.  The default values are 15 and 2  seconds.   Note  that
249              the  timeout values are for each connection attempt; the connec‐
250              tion code will attempt to connect all  addresses  listed  for  a
251              server.
252
253
254       --listen-backlog n
255              Set  the size of the queue for pending connections.  The default
256              is 64.
257
258
259       --allow-version-check
260              Allow Dirmngr to connect to  https://versions.gnupg.org  to  get
261              the  list  of  current software versions.  If this option is en‐
262              abled the list is retrieved in case the local copy does not  ex‐
263              ist  or  is older than 5 to 7 days.  See the option --query-swdb
264              of the command gpgconf for more details.  Note, that  regardless
265              of  this  option  a  version check can always be triggered using
266              this command:
267
268                gpg-connect-agent --dirmngr 'loadswdb --force' /bye
269
270
271
272       --keyserver name
273              Use name as your keyserver.  This is the server that gpg  commu‐
274              nicates  with  to  receive keys, send keys, and search for keys.
275              The  format  of  the  name  is  a  URI:   `scheme:[//]keyserver‐
276              name[:port]'  The scheme is the type of keyserver: "hkp" for the
277              HTTP (or compatible) keyservers, "ldap" for the LDAP keyservers,
278              or  "mailto"  for the Graff email keyserver. Note that your par‐
279              ticular installation of GnuPG may  have  other  keyserver  types
280              available as well. Keyserver schemes are case-insensitive. After
281              the keyserver name, optional keyserver configuration options may
282              be  provided.   These are the same as the --keyserver-options of
283              gpg, but apply only to this particular keyserver.
284
285              Most keyservers synchronize with each other, so there is  gener‐
286              ally  no  need  to send keys to more than one server. Somes key‐
287              servers use round robin DNS to give a different  keyserver  each
288              time you use it.
289
290              If  exactly  two keyservers are configured and only one is a Tor
291              hidden service (.onion), Dirmngr selects the  keyserver  to  use
292              depending  on  whether Tor is locally running or not.  The check
293              for a running Tor is done for each new connection.
294
295              If no keyserver is explicitly configured, dirmngr will  use  the
296              built-in default of https://keyserver.ubuntu.com.
297
298              Windows users with a keyserver running on their Active Directory
299              may use the short form ldap:/// for name to access  this  direc‐
300              tory.
301
302              For  accessing anonymous LDAP keyservers name is in general just
303              a ldaps://ldap.example.com.  A BaseDN parameter should never  be
304              specified.   If  authentication is required things are more com‐
305              plicated and two methods are available:
306
307              The modern method (since version 2.2.28) is to use the very same
308              syntax  as  used  with the option --ldapserver.  Please see over
309              there for details; here is an example:
310
311                keyserver ldap:ldap.example.com::uid=USERNAME,ou=GnuPG Users,
312                dc=example,dc=com:PASSWORD::starttls
313
314              The other method is to use a full URL for name; for example:
315
316                keyserver ldaps://ldap.example.com/????bindname=uid=USERNAME
317                %2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD
318
319              Put this all on one line without any spaces and keep the '%2C'
320              as given.  Replace USERNAME, PASSWORD, and the 'dc' parts
321              according to the instructions received from your LDAP
322              administrator.  Note that only simple authentication
323              (i.e. cleartext passwords) is supported and thus using ldaps is
324              strongly suggested (since 2.2.28 "ldaps" defaults to port 389
325              and uses STARTTLS).  On Windows authentication via AD can be
326              requested by adding gpgNtds=1 after the fourth question
327              mark instead of the bindname and password parameter.
328
329
330
331
332       --nameserver ipaddr
333              In ``Tor mode'' Dirmngr uses a public resolver via  Tor  to  re‐
334              solve  DNS  names.   If  the  default  public resolver, which is
335              8.8.8.8, shall not be used a different one can  be  given  using
336              this  option.   Note  that  a numerical IP address must be given
337              (IPv6 or IPv4) and that no error checking is done for ipaddr.
338
339
340       --disable-ipv4
341
342       --disable-ipv6
343              Disable the use of all IPv4 or IPv6 addresses.
344
345
346       --disable-ldap
347              Entirely disables the use of LDAP.
348
349
350       --disable-http
351              Entirely disables the use of HTTP.
352
353
354       --ignore-http-dp
355              When looking for the location of a CRL, the to  be  tested  cer‐
356              tificate  usually contains so called CRL Distribution Point (DP)
357              entries which are URLs describing the way  to  access  the  CRL.
358              The  first found DP entry is used.  With this option all entries
359              using the HTTP scheme are ignored when looking  for  a  suitable
360              DP.
361
362
363       --ignore-ldap-dp
364              This  is  similar  to --ignore-http-dp but ignores entries using
365              the LDAP scheme.  Both options may be combined resulting in  ig‐
366              noring DPs entirely.
367
368
369       --ignore-ocsp-service-url
370              Ignore  all  OCSP URLs contained in the certificate.  The effect
371              is to force the use of the default responder.
372
373
374       --honor-http-proxy
375              If the environment variable ‘http_proxy’ has been set,  use  its
376              value to access HTTP servers.
377
378
379       --http-proxy host[:port]
380              Use  host  and port to access HTTP servers.  The use of this op‐
381              tion overrides the environment variable ‘http_proxy’  regardless
382              whether --honor-http-proxy has been set.
383
384
385
386       --ldap-proxy host[:port]
387              Use  host and port to connect to LDAP servers.  If port is omit‐
388              ted, port 389 (standard LDAP port) is used.  This overrides  any
389              specified host and port part in a LDAP URL and will also be used
390              if host and port have been omitted from the URL.
391
392
393       --only-ldap-proxy
394              Never use anything else but the LDAP "proxy" as configured  with
395              --ldap-proxy.   Usually  dirmngr  tries  to use other configured
396              LDAP server if the connection using the "proxy" failed.
397
398
399
400       --ldapserverlist-file file
401              Read the list of LDAP servers to consult for CRLs and X.509 cer‐
402              tificates  from file instead of the default per-user ldap server
403              list   file.   The   default   value   for   file   is    ‘dirm‐
404              ngr_ldapservers.conf’.
405
406              This  server  list file contains one LDAP server per line in the
407              format
408
409              hostname:port:username:password:base_dn:flags
410
411              Lines starting with a  ‘#’ are comments.
412
413              Note that as usual all strings entered are expected to be  UTF-8
414              encoded.   Obviously  this will lead to problems if the password
415              has originally been encoded as Latin-1.  There is no other solu‐
416              tion  here  than  to  put such a password in the binary encoding
417              into the file (i.e. non-ascii characters  won't  show  up  read‐
418              able).  ([The  gpgconf tool might be helpful for frontends as it
419              enables editing this configuration  file  using  percent-escaped
420              strings.])
421
422
423
424       --ldapserver spec
425              This  is  an alternative way to specify LDAP servers for CRL and
426              X.509 certificate retrieval.  If this option is used the servers
427              configured  in  ‘dirmngr_ldapservers.conf’ (or the file given by
428              --ldapserverlist-file)   are   cleared.    Note   that    ‘dirm‐
429              ngr_ldapservers.conf’ is not read again by a reload signal. How‐
430              ever, --ldapserver options are read again.
431
432              spec is either a proper LDAP URL or a colon  delimited  list  of
433              the form
434
435              hostname:port:username:password:base_dn:flags:
436
437              with  an  optional  prefix of ldap: (but without the two slashes
438              which would turn this into a proper LDAP URL).  flags is a  list
439              of one or more comma delimited keywords:
440
441              plain  The  default: Do not use a TLS secured connection at all;
442                     the default port is 389.
443
444              starttls
445                     Use STARTTLS to secure the connection; the  default  port
446                     is 389.
447
448              ldaptls
449                     Tunnel LDAP through a TLS connection; the default port is
450                     636.
451
452              ntds   On Windows authenticate the LDAP connection using the Ac‐
453                     tive Directory with the current user.
454
455       Note  that  in an URL style specification the scheme ldaps:// refers to
456       STARTTLS and _not_ to LDAP-over-TLS.
457
458
459
460       --ldaptimeout secs
461              Specify the number of seconds to wait for an LDAP  query  before
462              timing out.  The default are 15 seconds.  0 will never timeout.
463
464
465
466       --add-servers
467              This option makes dirmngr add any servers it discovers when val‐
468              idating certificates  against  CRLs  to  the  internal  list  of
469              servers  to  consult  for  certificates  and  CRLs.  This option
470              should in general not be used.
471
472              This option might be useful when trying to validate  a  certifi‐
473              cate  that  has a CRL distribution point that points to a server
474              that is not already listed in the ldapserverlist.  Dirmngr  will
475              always  go  to  this  server  and  try  to download the CRL, but
476              chances are high that the certificate used to sign  the  CRL  is
477              located  on  the same server. So if dirmngr doesn't add that new
478              server to list, it will often not be able to verify  the  signa‐
479              ture of the CRL unless the --add-servers option is used.
480
481              Caveat  emptor:  Using  this option may enable denial-of-service
482              attacks and leak search requests to unknown third parties.  This
483              is  because  arbitrary servers are added to the internal list of
484              LDAP servers which in turn  is  used  for  all  unspecific  LDAP
485              queries as well as a fallback for queries which did not return a
486              result.
487
488
489
490       --allow-ocsp
491              This option enables OCSP support if requested by the client.
492
493              OCSP requests are rejected by default because they  may  violate
494              the privacy of the user; for example it is possible to track the
495              time when a user is reading a mail.
496
497
498
499       --ocsp-responder url
500              Use url as the default OCSP Responder if  the  certificate  does
501              not contain information about an assigned responder.  Note, that
502              --ocsp-signer must also be set to a valid certificate.
503
504
505       --ocsp-signer fpr|file
506              Use the certificate with the fingerprint fpr to  check  the  re‐
507              sponses of the default OCSP Responder.  Alternatively a filename
508              can be given in which case the response is expected to be signed
509              by one of the certificates described in that file.  Any argument
510              which contains a slash, dot or tilde is considered  a  filename.
511              Usual  filename expansion takes place: A tilde at the start fol‐
512              lowed by a slash is replaced by the content of ‘HOME’, no  slash
513              at start describes a relative filename which will be searched at
514              the home directory.  To make sure that the file is  searched  in
515              the  home  directory, either prepend the name with "./" or use a
516              name which contains a dot.
517
518              If a response has been signed  by  a  certificate  described  by
519              these  fingerprints  no  further check upon the validity of this
520              certificate is done.
521
522              The format of the FILE is a list of SHA-1 fingerprint,  one  per
523              line  with  optional  colons between the bytes.  Empty lines and
524              lines prefix with a hash mark are ignored.
525
526
527
528       --ocsp-max-clock-skew n
529              The number of seconds a skew between the OCSP responder and them
530              local clock is accepted.  Default is 600 (10 minutes).
531
532
533       --ocsp-max-period n
534              Seconds a response is at maximum considered valid after the time
535              given in the thisUpdate field.  Default is 7776000 (90 days).
536
537
538       --ocsp-current-period n
539              The number of seconds an OCSP response is considered valid after
540              the  time  given  in the NEXT_UPDATE datum.  Default is 10800 (3
541              hours).
542
543
544
545       --max-replies n
546              Do not return more that n items in one query.   The  default  is
547              10.
548
549
550       --ignore-cert-extension oid
551              Add  oid to the list of ignored certificate extensions.  The oid
552              is expected to be in dotted decimal form, like  2.5.29.3.   This
553              option may be used more than once.  Critical flagged certificate
554              extensions matching one of the OIDs in the list are  treated  as
555              if  they  are actually handled and thus the certificate won't be
556              rejected due to an unknown critical extension.  Use this  option
557              with care because extensions are usually flagged as critical for
558              a reason.
559
560
561       --ignore-cert fpr|file
562              Entirely ignore certificates with the fingerprint  fpr.   As  an
563              alternative  to the fingerprint a filename can be given in which
564              case all certificates described in that file are  ignored.   Any
565              argument  which  contains  a slash, dot or tilde is considered a
566              filename.  Usual filename expansion takes place: A tilde at  the
567              start  followed by a slash is replaced by the content of ‘HOME’,
568              no slash at start describes a relative filename  which  will  be
569              searched  at  the home directory.  To make sure that the file is
570              searched in the home directory, either  prepend  the  name  with
571              "./"  or  use a name which contains a dot.  The format of such a
572              file is a list of SHA-1 fingerprint, one per line with  optional
573              colons between the bytes.  Empty lines and lines prefixed with a
574              hash mark are ignored.
575
576              This option is useful as a quick workaround to  exclude  certain
577              certificates from the system store.
578
579
580
581       --hkp-cacert file
582              Use  the  root  certificates in file for verification of the TLS
583              certificates used with hkps (keyserver access over TLS).  If the
584              file  is  in  PEM  format a suffix of .pem is expected for file.
585              This option may be given multiple times to add  more  root  cer‐
586              tificates.  Tilde expansion is supported.
587
588              If no hkp-cacert directive is present, dirmngr will use the sys‐
589              tem CAs.
590
591

EXAMPLES

593       Here is an example on how to show dirmngr's internal table  of  OpenPGP
594       keyserver addresses.  The output is intended for debugging purposes and
595       not part of a defined API.
596
597           gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye
598
599       To inhibit the use of a particular host you have noticed in one of  the
600       keyserver pools, you may use
601
602          gpg-connect-agent --dirmngr 'keyserver --dead pgpkeys.bnd.de' /bye
603
604       The description of the keyserver command can be printed using
605
606          gpg-connect-agent --dirmngr 'help keyserver' /bye
607
608
609
610
611

FILES

613       Dirmngr  makes  use of several directories when running in daemon mode:
614       There are a few configuration files to control the operation  of  dirm‐
615       ngr.   By  default  they may all be found in the current home directory
616       (see: [option --homedir]).
617
618
619
620       dirmngr.conf
621              This is the standard  configuration  file  read  by  dirmngr  on
622              startup.   It may contain any valid long option; the leading two
623              dashes may not be entered and the option may not be abbreviated.
624              This  file  is  also read after a SIGHUP however not all options
625              will actually have an effect.  This default name may be  changed
626              on  the  command  line  (see:  [option  --options]).  You should
627              backup this file.
628
629
630       /etc/gnupg/trusted-certs
631              This directory should be filled with certificates  of  Root  CAs
632              you  are  trusting  in  checking  the  CRLs and signing OCSP Re‐
633              sponses.
634
635              Usually these are the same certificates you use with the  appli‐
636              cations  making  use  of  dirmngr.   It is expected that each of
637              these certificate files contain exactly one DER encoded certifi‐
638              cate  in a file with the suffix ‘.crt’ or ‘.der’.  dirmngr reads
639              those certificates on startup and when given a SIGHUP.  Certifi‐
640              cates  which  are  not readable or do not make up a proper X.509
641              certificate are ignored; see the log file for details.
642
643              Applications using dirmngr (e.g. gpgsm) can request  these  cer‐
644              tificates  to complete a trust chain in the same way as with the
645              extra-certs directory (see below).
646
647              Note that for OCSP responses the certificate specified using the
648              option --ocsp-signer is always considered valid to sign OCSP re‐
649              quests.
650
651
652       /etc/gnupg/extra-certs
653              This directory may contain extra  certificates  which  are  pre‐
654              loaded  into  the  internal cache on startup. Applications using
655              dirmngr (e.g. gpgsm) can request cached certificates to complete
656              a  trust  chain.   This is convenient in cases you have a couple
657              intermediate CA certificates or  certificates  usually  used  to
658              sign  OCSP responses.  These certificates are first tried before
659              going out to the net to look for them.  These certificates  must
660              also be DER encoded and suffixed with ‘.crt’ or ‘.der’.
661
662
663       ~/.gnupg/crls.d
664              This  directory is used to store cached CRLs.  The ‘crls.d’ part
665              will be created by dirmngr if it does not exists but you need to
666              make sure that the upper directory exists.
667
668
669       Several  options  control  the  use of trusted certificates for TLS and
670       CRLs.  Here is an Overview on the use and origin of those Root CA  cer‐
671       tificates:
672
673
674       System
675
676              These System root certificates are used by:  FIXME
677
678              The  origin  of  the system provided certificates depends on the
679              platform.  On Windows all certificates from the  Windows  System
680              Stores ROOT and CA are used.
681
682              On other platforms the certificates are read from the first file
683              found     form     this     list:      ‘/etc/ssl/ca-bundle.pem’,
684/etc/ssl/certs/ca-certificates.crt’,   ‘/etc/pki/tls/cert.pem’,
685/usr/local/share/certs/ca-root-nss.crt’, ‘/etc/ssl/cert.pem’.
686
687
688       GnuPG
689
690              The  GnuPG  specific  certificates  stored  in   the   directory
691/etc/gnupg/trusted-certs’ are only used to validate CRLs.
692
693
694
695       OpenPGP keyserver
696
697              For  accessing the OpenPGP keyservers the only certificates used
698              are those set with the configuration option hkp-cacert.
699
700
701       OpenPGP keyserver pool
702
703              This  is  usually  only  one  certificate  read  from  the  file
704/usr/share/gnupg/gnupg/sks-keyservers.netCA.pem’.  If this cer‐
705              tificate exists it is used  to  access  the  special  keyservers
706              hkps.pool.sks-keyservers.net (or ‘hkps://keys.gnupg.net’).
707
708
709       Please  note  that  gpgsm accepts Root CA certificates for its own pur‐
710       poses only if they are listed in  its  file  ‘trustlist.txt’.   dirmngr
711       does not make use of this list - except FIXME.
712
713
714

NOTES

716       To  be  able  to see diagnostics it is often useful to put at least the
717       following lines into the configuration file ‘~/gnupg/dirmngr.conf’:
718
719         log-file ~/dirmngr.log
720         verbose
721
722       You may want to check the log file to see whether all desired  root  CA
723       certificates are correctly loaded.
724
725       To be able to perform OCSP requests you probably want to add the line:
726
727         allow-ocsp
728
729       To  make  sure that new options are read or that after the installation
730       of a new GnuPG versions the  right  dirmngr  version  is  running,  you
731       should  kill  an  existing dirmngr so that a new instance is started as
732       needed by the otehr components:
733
734         gpgconf --kill dirmngr
735
736       Direct interfaction with the dirmngr is possible by using the command
737
738         gpg-connect-agent --dirmngr
739
740       Enter HELP at the prompt to see a list of commands and enter HELP  fol‐
741       lowed by a command name to get help on that command.
742
743
744
745
746

SIGNALS

748       A  running  dirmngr  may  be controlled by signals, i.e. using the kill
749       command to send a signal to the process.
750
751       Here is a list of supported signals:
752
753
754
755       SIGHUP This signal flushes all internally cached CRLs as  well  as  any
756              cached  certificates.   Then the certificate cache is reinitial‐
757              ized as on startup.  Options are re-read from the  configuration
758              file.  Instead of sending this signal it is better to use
759         gpgconf --reload dirmngr
760
761
762       SIGTERM
763              Shuts  down the process but waits until all current requests are
764              fulfilled.  If the process has received 3 of these  signals  and
765              requests  are still pending, a shutdown is forced.  You may also
766              use
767         gpgconf --kill dirmngr
768       instead of this signal
769
770
771       SIGINT Shuts down the process immediately.
772
773
774
775       SIGUSR1
776              This prints some caching statistics to the log file.
777
778

SEE ALSO

780       gpgsm(1), dirmngr-client(1)
781
782       The full documentation for this tool is maintained as a Texinfo manual.
783       If  GnuPG and the info program are properly installed at your site, the
784       command
785
786         info gnupg
787
788       should give you access to the complete manual including a  menu  struc‐
789       ture and an index.
790
791
792
793
794
795GnuPG 2.3.3                       2021-10-06                        DIRMNGR(8)
Impressum