1DIRMNGR(8)                   GNU Privacy Guard 2.3                  DIRMNGR(8)
2
3
4

NAME

6       dirmngr - GnuPG's network access daemon
7

SYNOPSIS

9       dirmngr [options] command [args]
10
11

DESCRIPTION

13       Since version 2.1 of GnuPG, dirmngr takes care of accessing the OpenPGP
14       keyservers.  As with previous versions it is also used as a server  for
15       managing  and downloading certificate revocation lists (CRLs) for X.509
16       certificates, downloading X.509 certificates, and providing  access  to
17       OCSP  providers.   Dirmngr  is invoked internally by gpg, gpgsm, or via
18       the gpg-connect-agent tool.
19
20
21
22
23
24

COMMANDS

26       Commands are not distinguished from options except for  the  fact  that
27       only one command is allowed.
28
29
30       --version
31              Print  the program version and licensing information.  Note that
32              you cannot abbreviate this command.
33
34
35       --help, -h
36              Print a usage message summarizing the most  useful  command-line
37              options.  Note that you cannot abbreviate this command.
38
39
40       --dump-options
41              Print  a  list of all available options and commands.  Note that
42              you cannot abbreviate this command.
43
44
45       --server
46              Run in server mode and wait for commands on the stdin.  The  de‐
47              fault  mode is to create a socket and listen for commands there.
48              This is only used for testing.
49
50
51       --daemon
52              Run in background daemon mode  and  listen  for  commands  on  a
53              socket.   This  is  the  way dirmngr is started on demand by the
54              other GnuPG components.  To force starting dirmngr it is in gen‐
55              eral best to use gpgconf --launch dirmngr.
56
57
58       --supervised
59              Run  in the foreground, sending logs to stderr, and listening on
60              file descriptor 3, which must already be bound  to  a  listening
61              socket.  This option is deprecated and not supported on Windows.
62
63
64       --list-crls
65              List  the  contents of the CRL cache on stdout. This is probably
66              only useful for debugging purposes.
67
68
69       --load-crl file
70              This command requires a filename as additional argument, and  it
71              will make Dirmngr try to import the CRL in file into it's cache.
72              Note, that this is only possible if Dirmngr is able to  retrieve
73              the  CA's  certificate directly by its own means.  In general it
74              is better to use gpgsm's --call-dirmngr loadcrl filename command
75              so that gpgsm can help dirmngr.
76
77
78       --fetch-crl url
79              This command requires an URL as additional argument, and it will
80              make dirmngr try to retrieve and import the CRL  from  that  url
81              into  it's cache.  This is mainly useful for debugging purposes.
82              The dirmngr-client provides the same feature for a running dirm‐
83              ngr.
84
85
86       --shutdown
87              This  commands  shuts down an running instance of Dirmngr.  This
88              command has currently no effect.
89
90
91       --flush
92              This command removes all CRLs from Dirmngr's cache.  Client  re‐
93              quests will thus trigger reading of fresh CRLs.
94
95

OPTIONS

97       Note  that all long options with the exception of --options and --home‐
98       dir may also be given in the configuration file after stripping off the
99       two leading dashes.
100
101
102
103       --options file
104              Reads  configuration  from file instead of from the default per-
105              user configuration file.   The  default  configuration  file  is
106              named ‘dirmngr.conf’ and expected in the home directory.
107
108
109       --homedir dir
110              Set  the name of the home directory to dir.  This option is only
111              effective when used on the command line.  The default is the di‐
112              rectory  named ‘.gnupg’ directly below the home directory of the
113              user unless the environment variable GNUPGHOME has been  set  in
114              which  case  its  value  will  be  used.  Many kinds of data are
115              stored within this directory.
116
117
118
119       -v
120
121       --verbose
122              Outputs additional information while running.  You can  increase
123              the  verbosity  by  giving  several verbose commands to dirmngr,
124              such as -vv.
125
126
127
128       --log-file file
129              Append all logging output to file.  This is very helpful in see‐
130              ing  what  the  agent  actually does.  Use ‘socket://’ to log to
131              socket.
132
133
134       --debug-level level
135              Select the debug level for investigating problems.  level may be
136              a numeric value or by a keyword:
137
138
139              none   No  debugging at all.  A value of less than 1 may be used
140                     instead of the keyword.
141
142              basic  Some basic debug messages.  A value between 1 and  2  may
143                     be used instead of the keyword.
144
145              advanced
146                     More verbose debug messages.  A value between 3 and 5 may
147                     be used instead of the keyword.
148
149              expert Even more detailed messages.  A value between 6 and 8 may
150                     be used instead of the keyword.
151
152              guru   All  of  the  debug messages you can get. A value greater
153                     than 8 may be used instead of the keyword.  The  creation
154                     of  hash  tracing files is only enabled if the keyword is
155                     used.
156
157       How these messages are mapped to the  actual  debugging  flags  is  not
158       specified  and may change with newer releases of this program. They are
159       however carefully selected to best aid in debugging.
160
161
162       --debug flags
163              Set debug flags.  All flags are or-ed and flags may be given  in
164              C  syntax  (e.g.  0x0042)  or  as a comma separated list of flag
165              names.  To get a list of all supported  flags  the  single  word
166              "help"  can  be  used.  This option is only useful for debugging
167              and the behavior may change at any time without notice.
168
169
170       --debug-all
171              Same as --debug=0xffffffff
172
173
174       --tls-debug level
175              Enable debugging of the TLS layer at level.  The details of  the
176              debug  level  depend  on the used TLS library and are not set in
177              stone.
178
179
180       --debug-wait n
181              When running in server mode, wait n seconds before entering  the
182              actual  processing  loop  and print the pid.  This gives time to
183              attach a debugger.
184
185
186       --disable-check-own-socket
187              On some platforms dirmngr is able to detect the removal  of  its
188              socket file and shutdown itself.  This option disable this self-
189              test for debugging purposes.
190
191
192       -s
193       --sh
194       -c
195       --csh  Format the info output in daemon mode for use with the  standard
196              Bourne  shell respective the C-shell. The default is to guess it
197              based on the environment variable SHELL which is in  almost  all
198              cases sufficient.
199
200
201       --force
202              Enabling  this  option  forces  loading of expired CRLs; this is
203              only useful for debugging.
204
205
206       --use-tor
207       --no-use-tor
208              The option --use-tor switches Dirmngr and thus GnuPG into  ``Tor
209              mode''  to  route  all network access via Tor (an anonymity net‐
210              work).  Certain other features are disabled in this  mode.   The
211              effect of --use-tor cannot be overridden by any other command or
212              even by reloading dirmngr.  The use of --no-use-tor disables the
213              use  of  Tor.   The  default is to use Tor if it is available on
214              startup or after reloading dirmngr.  The test on the  availabil‐
215              ity  of Tor is done by trying to connect to a SOCKS proxy at ei‐
216              ther port 9050 or 9150; if another type of proxy is listening on
217              one of these ports, you should use --no-use-tor.
218
219
220       --standard-resolver
221              This option forces the use of the system's standard DNS resolver
222              code.  This is mainly used for debugging.  Note that on  Windows
223              a  standard  resolver is not used and all DNS access will return
224              the error ``Not Implemented'' if this  option  is  used.   Using
225              this  together with enabled Tor mode returns the error ``Not En‐
226              abled''.
227
228
229       --recursive-resolver
230              When possible use a recursive resolver instead  of  a  stub  re‐
231              solver.
232
233
234       --resolver-timeout n
235              Set  the timeout for the DNS resolver to N seconds.  The default
236              are 30 seconds.
237
238
239       --connect-timeout n
240
241       --connect-quick-timeout n
242              Set the timeout for HTTP and generic TCP connection attempts  to
243              N  seconds.   The  value set with the quick variant is used when
244              the --quick option has been given to  certain  Assuan  commands.
245              The  quick  value  is capped at the value of the regular connect
246              timeout.  The default values are 15 and 2  seconds.   Note  that
247              the  timeout values are for each connection attempt; the connec‐
248              tion code will attempt to connect all  addresses  listed  for  a
249              server.
250
251
252       --listen-backlog n
253              Set  the size of the queue for pending connections.  The default
254              is 64.
255
256
257       --allow-version-check
258              Allow Dirmngr to connect to  https://versions.gnupg.org  to  get
259              the  list  of  current software versions.  If this option is en‐
260              abled the list is retrieved in case the local copy does not  ex‐
261              ist  or  is older than 5 to 7 days.  See the option --query-swdb
262              of the command gpgconf for more details.  Note, that  regardless
263              of  this  option  a  version check can always be triggered using
264              this command:
265
266                gpg-connect-agent --dirmngr 'loadswdb --force' /bye
267
268
269
270       --keyserver name
271              Use name as your keyserver.  This is the server that gpg  commu‐
272              nicates  with  to  receive keys, send keys, and search for keys.
273              The  format  of  the  name  is  a  URI:   `scheme:[//]keyserver‐
274              name[:port]'  The scheme is the type of keyserver: "hkp" for the
275              HTTP (or compatible) keyservers, "ldap" for the LDAP keyservers,
276              or  "mailto"  for the Graff email keyserver. Note that your par‐
277              ticular installation of GnuPG may  have  other  keyserver  types
278              available as well. Keyserver schemes are case-insensitive. After
279              the keyserver name, optional keyserver configuration options may
280              be  provided.   These are the same as the --keyserver-options of
281              gpg, but apply only to this particular keyserver.
282
283              Most keyservers synchronize with each other, so there is  gener‐
284              ally  no  need  to send keys to more than one server. Somes key‐
285              servers use round robin DNS to give a different  keyserver  each
286              time you use it.
287
288              If  exactly  two keyservers are configured and only one is a Tor
289              hidden service (.onion), Dirmngr selects the  keyserver  to  use
290              depending  on  whether Tor is locally running or not.  The check
291              for a running Tor is done for each new connection.
292
293              If no keyserver is explicitly configured, dirmngr will  use  the
294              built-in default of https://keyserver.ubuntu.com.
295
296              Windows users with a keyserver running on their Active Directory
297              may use the short form ldap:/// for name to access  this  direc‐
298              tory.
299
300              For  accessing anonymous LDAP keyservers name is in general just
301              a ldaps://ldap.example.com.  A BaseDN parameter should never  be
302              specified.   If  authentication is required things are more com‐
303              plicated and two methods are available:
304
305              The modern method (since version 2.2.28) is to use the very same
306              syntax  as  used  with the option --ldapserver.  Please see over
307              there for details; here is an example:
308
309                keyserver ldap:ldap.example.com::uid=USERNAME,ou=GnuPG Users,
310                dc=example,dc=com:PASSWORD::starttls
311
312              The other method is to use a full URL for name; for example:
313
314                keyserver ldaps://ldap.example.com/????bindname=uid=USERNAME
315                %2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD
316
317              Put this all on one line without any spaces and keep the '%2C'
318              as given.  Replace USERNAME, PASSWORD, and the 'dc' parts
319              according to the instructions received from your LDAP
320              administrator.  Note that only simple authentication
321              (i.e. cleartext passwords) is supported and thus using ldaps is
322              strongly suggested (since 2.2.28 "ldaps" defaults to port 389
323              and uses STARTTLS).  On Windows authentication via AD can be
324              requested by adding gpgNtds=1 after the fourth question
325              mark instead of the bindname and password parameter.
326
327
328
329
330       --nameserver ipaddr
331              In ``Tor mode'' Dirmngr uses a public resolver via  Tor  to  re‐
332              solve  DNS  names.   If  the  default  public resolver, which is
333              8.8.8.8, shall not be used a different one can  be  given  using
334              this  option.   Note  that  a numerical IP address must be given
335              (IPv6 or IPv4) and that no error checking is done for ipaddr.
336
337
338       --disable-ipv4
339
340       --disable-ipv6
341              Disable the use of all IPv4 or IPv6 addresses.
342
343
344       --disable-ldap
345              Entirely disables the use of LDAP.
346
347
348       --disable-http
349              Entirely disables the use of HTTP.
350
351
352       --ignore-http-dp
353              When looking for the location of a CRL, the to  be  tested  cer‐
354              tificate  usually contains so called CRL Distribution Point (DP)
355              entries which are URLs describing the way  to  access  the  CRL.
356              The  first found DP entry is used.  With this option all entries
357              using the HTTP scheme are ignored when looking  for  a  suitable
358              DP.
359
360
361       --ignore-ldap-dp
362              This  is  similar  to --ignore-http-dp but ignores entries using
363              the LDAP scheme.  Both options may be combined resulting in  ig‐
364              noring DPs entirely.
365
366
367       --ignore-ocsp-service-url
368              Ignore  all  OCSP URLs contained in the certificate.  The effect
369              is to force the use of the default responder.
370
371
372       --honor-http-proxy
373              If the environment variable ‘http_proxy’ has been set,  use  its
374              value to access HTTP servers.
375
376
377       --http-proxy host[:port]
378              Use  host  and port to access HTTP servers.  The use of this op‐
379              tion overrides the environment variable ‘http_proxy’  regardless
380              whether --honor-http-proxy has been set.
381
382
383
384       --ldap-proxy host[:port]
385              Use  host and port to connect to LDAP servers.  If port is omit‐
386              ted, port 389 (standard LDAP port) is used.  This overrides  any
387              specified host and port part in a LDAP URL and will also be used
388              if host and port have been omitted from the URL.
389
390
391       --only-ldap-proxy
392              Never use anything else but the LDAP "proxy" as configured  with
393              --ldap-proxy.   Usually  dirmngr  tries  to use other configured
394              LDAP server if the connection using the "proxy" failed.
395
396
397
398       --ldapserverlist-file file
399              Read the list of LDAP servers to consult for CRLs and X.509 cer‐
400              tificates  from file instead of the default per-user ldap server
401              list   file.   The   default   value   for   file   is    ‘dirm‐
402              ngr_ldapservers.conf’.
403
404              This  server  list file contains one LDAP server per line in the
405              format
406
407              hostname:port:username:password:base_dn:flags
408
409              Lines starting with a  ‘#’ are comments.
410
411              Note that as usual all strings entered are expected to be  UTF-8
412              encoded.   Obviously  this will lead to problems if the password
413              has originally been encoded as Latin-1.  There is no other solu‐
414              tion  here  than  to  put such a password in the binary encoding
415              into the file (i.e. non-ascii characters  won't  show  up  read‐
416              able).  ([The  gpgconf tool might be helpful for frontends as it
417              enables editing this configuration  file  using  percent-escaped
418              strings.])
419
420
421
422       --ldapserver spec
423              This  is  an alternative way to specify LDAP servers for CRL and
424              X.509 certificate retrieval.  If this option is used the servers
425              configured  in  ‘dirmngr_ldapservers.conf’ (or the file given by
426              --ldapserverlist-file)   are   cleared.    Note   that    ‘dirm‐
427              ngr_ldapservers.conf’ is not read again by a reload signal. How‐
428              ever, --ldapserver options are read again.
429
430              spec is either a proper LDAP URL or a colon  delimited  list  of
431              the form
432
433              hostname:port:username:password:base_dn:flags:
434
435              with  an  optional  prefix of ldap: (but without the two slashes
436              which would turn this into a proper LDAP URL).  flags is a  list
437              of one or more comma delimited keywords:
438
439              plain  The  default: Do not use a TLS secured connection at all;
440                     the default port is 389.
441
442              starttls
443                     Use STARTTLS to secure the connection; the  default  port
444                     is 389.
445
446              ldaptls
447                     Tunnel LDAP through a TLS connection; the default port is
448                     636.
449
450              ntds   On Windows authenticate the LDAP connection using the Ac‐
451                     tive Directory with the current user.
452
453              areconly
454                     On  Windows  use only the A or AAAA record when resolving
455                     the LDAP server name.
456
457       Note that in an URL style specification the scheme ldaps://  refers  to
458       STARTTLS and _not_ to LDAP-over-TLS.
459
460
461
462       --ldaptimeout secs
463              Specify  the  number of seconds to wait for an LDAP query before
464              timing out.  The default are 15 seconds.  0 will never timeout.
465
466
467
468       --add-servers
469              This option makes dirmngr add any servers it discovers when val‐
470              idating  certificates  against  CRLs  to  the  internal  list of
471              servers to consult  for  certificates  and  CRLs.   This  option
472              should in general not be used.
473
474              This  option  might be useful when trying to validate a certifi‐
475              cate that has a CRL distribution point that points to  a  server
476              that  is not already listed in the ldapserverlist.  Dirmngr will
477              always go to this server  and  try  to  download  the  CRL,  but
478              chances  are  high  that the certificate used to sign the CRL is
479              located on the same server. So if dirmngr doesn't add  that  new
480              server  to  list, it will often not be able to verify the signa‐
481              ture of the CRL unless the --add-servers option is used.
482
483              Caveat emptor: Using this option  may  enable  denial-of-service
484              attacks and leak search requests to unknown third parties.  This
485              is because arbitrary servers are added to the internal  list  of
486              LDAP  servers  which  in  turn  is  used for all unspecific LDAP
487              queries as well as a fallback for queries which did not return a
488              result.
489
490
491
492       --allow-ocsp
493              This option enables OCSP support if requested by the client.
494
495              OCSP  requests  are rejected by default because they may violate
496              the privacy of the user; for example it is possible to track the
497              time when a user is reading a mail.
498
499
500
501       --ocsp-responder url
502              Use  url  as  the default OCSP Responder if the certificate does
503              not contain information about an assigned responder.  Note, that
504              --ocsp-signer must also be set to a valid certificate.
505
506
507       --ocsp-signer fpr|file
508              Use  the  certificate  with the fingerprint fpr to check the re‐
509              sponses of the default OCSP Responder.  Alternatively a filename
510              can be given in which case the response is expected to be signed
511              by one of the certificates described in that file.  Any argument
512              which  contains  a slash, dot or tilde is considered a filename.
513              Usual filename expansion takes place: A tilde at the start  fol‐
514              lowed  by a slash is replaced by the content of ‘HOME’, no slash
515              at start describes a relative filename which will be searched at
516              the  home  directory.  To make sure that the file is searched in
517              the home directory, either prepend the name with "./" or  use  a
518              name which contains a dot.
519
520              If  a  response  has  been  signed by a certificate described by
521              these fingerprints no further check upon the  validity  of  this
522              certificate is done.
523
524              The  format  of the FILE is a list of SHA-1 fingerprint, one per
525              line with optional colons between the bytes.   Empty  lines  and
526              lines prefix with a hash mark are ignored.
527
528
529
530       --ocsp-max-clock-skew n
531              The number of seconds a skew between the OCSP responder and them
532              local clock is accepted.  Default is 600 (10 minutes).
533
534
535       --ocsp-max-period n
536              Seconds a response is at maximum considered valid after the time
537              given in the thisUpdate field.  Default is 7776000 (90 days).
538
539
540       --ocsp-current-period n
541              The number of seconds an OCSP response is considered valid after
542              the time given in the NEXT_UPDATE datum.  Default  is  10800  (3
543              hours).
544
545
546
547       --max-replies n
548              Do  not  return  more that n items in one query.  The default is
549              10.
550
551
552       --ignore-cert-extension oid
553              Add oid to the list of ignored certificate extensions.  The  oid
554              is  expected  to be in dotted decimal form, like 2.5.29.3.  This
555              option may be used more than once.  Critical flagged certificate
556              extensions  matching  one of the OIDs in the list are treated as
557              if they are actually handled and thus the certificate  won't  be
558              rejected  due to an unknown critical extension.  Use this option
559              with care because extensions are usually flagged as critical for
560              a reason.
561
562
563       --ignore-cert fpr|file
564              Entirely  ignore  certificates  with the fingerprint fpr.  As an
565              alternative to the fingerprint a filename can be given in  which
566              case  all  certificates described in that file are ignored.  Any
567              argument which contains a slash, dot or tilde  is  considered  a
568              filename.   Usual filename expansion takes place: A tilde at the
569              start followed by a slash is replaced by the content of  ‘HOME’,
570              no  slash  at  start describes a relative filename which will be
571              searched at the home directory.  To make sure that the  file  is
572              searched  in  the  home  directory, either prepend the name with
573              "./" or use a name which contains a dot.  The format of  such  a
574              file  is a list of SHA-1 fingerprint, one per line with optional
575              colons between the bytes.  Empty lines and lines prefixed with a
576              hash mark are ignored.
577
578              This  option  is useful as a quick workaround to exclude certain
579              certificates from the system store.
580
581
582
583       --hkp-cacert file
584              Use the root certificates in file for verification  of  the  TLS
585              certificates used with hkps (keyserver access over TLS).  If the
586              file is in PEM format a suffix of .pem  is  expected  for  file.
587              This  option  may  be given multiple times to add more root cer‐
588              tificates.  Tilde expansion is supported.
589
590              If no hkp-cacert directive is present, dirmngr will use the sys‐
591              tem CAs.
592
593

EXAMPLES

595       Here  is  an example on how to show dirmngr's internal table of OpenPGP
596       keyserver addresses.  The output is intended for debugging purposes and
597       not part of a defined API.
598
599           gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye
600
601       To  inhibit the use of a particular host you have noticed in one of the
602       keyserver pools, you may use
603
604          gpg-connect-agent --dirmngr 'keyserver --dead pgpkeys.bnd.de' /bye
605
606       The description of the keyserver command can be printed using
607
608          gpg-connect-agent --dirmngr 'help keyserver' /bye
609
610
611
612
613

FILES

615       Dirmngr makes use of several directories when running in  daemon  mode:
616       There  are  a few configuration files to control the operation of dirm‐
617       ngr.  By default they may all be found in the  current  home  directory
618       (see: [option --homedir]).
619
620
621
622       dirmngr.conf
623              This  is  the  standard  configuration  file  read by dirmngr on
624              startup.  It may contain any valid long option; the leading  two
625              dashes may not be entered and the option may not be abbreviated.
626              This file is also read after a SIGHUP however  not  all  options
627              will  actually have an effect.  This default name may be changed
628              on the command  line  (see:  [option  --options]).   You  should
629              backup this file.
630
631
632       /etc/gnupg/trusted-certs
633              This  directory  should  be filled with certificates of Root CAs
634              you are trusting in checking  the  CRLs  and  signing  OCSP  Re‐
635              sponses.
636
637              Usually  these are the same certificates you use with the appli‐
638              cations making use of dirmngr.  It  is  expected  that  each  of
639              these certificate files contain exactly one DER encoded certifi‐
640              cate in a file with the suffix ‘.crt’ or ‘.der’.  dirmngr  reads
641              those certificates on startup and when given a SIGHUP.  Certifi‐
642              cates which are not readable or do not make up  a  proper  X.509
643              certificate are ignored; see the log file for details.
644
645              Applications  using  dirmngr (e.g. gpgsm) can request these cer‐
646              tificates to complete a trust chain in the same way as with  the
647              extra-certs directory (see below).
648
649              Note that for OCSP responses the certificate specified using the
650              option --ocsp-signer is always considered valid to sign OCSP re‐
651              quests.
652
653
654       /etc/gnupg/extra-certs
655              This  directory  may  contain  extra certificates which are pre‐
656              loaded into the internal cache on  startup.  Applications  using
657              dirmngr (e.g. gpgsm) can request cached certificates to complete
658              a trust chain.  This is convenient in cases you  have  a  couple
659              intermediate  CA  certificates  or  certificates usually used to
660              sign OCSP responses.  These certificates are first tried  before
661              going  out to the net to look for them.  These certificates must
662              also be DER encoded and suffixed with ‘.crt’ or ‘.der’.
663
664
665       ~/.gnupg/crls.d
666              This directory is used to store cached CRLs.  The ‘crls.d’  part
667              will be created by dirmngr if it does not exists but you need to
668              make sure that the upper directory exists.
669
670
671       Several options control the use of trusted  certificates  for  TLS  and
672       CRLs.   Here is an Overview on the use and origin of those Root CA cer‐
673       tificates:
674
675
676       System
677
678              These System root certificates are used by:  FIXME
679
680              The origin of the system provided certificates  depends  on  the
681              platform.   On  Windows all certificates from the Windows System
682              Stores ROOT and CA are used.
683
684              On other platforms the certificates are read from the first file
685              found      form     this     list:     ‘/etc/ssl/ca-bundle.pem’,
686/etc/ssl/certs/ca-certificates.crt’,   ‘/etc/pki/tls/cert.pem’,
687/usr/local/share/certs/ca-root-nss.crt’, ‘/etc/ssl/cert.pem’.
688
689
690       GnuPG
691
692              The   GnuPG   specific  certificates  stored  in  the  directory
693/etc/gnupg/trusted-certs’ are only used to validate CRLs.
694
695
696
697       OpenPGP keyserver
698
699              For accessing the OpenPGP keyservers the only certificates  used
700              are those set with the configuration option hkp-cacert.
701
702
703       OpenPGP keyserver pool
704
705              This  is  usually  only  one  certificate  read  from  the  file
706/usr/share/gnupg/gnupg/sks-keyservers.netCA.pem’.  If this cer‐
707              tificate  exists  it  is  used  to access the special keyservers
708              hkps.pool.sks-keyservers.net (or ‘hkps://keys.gnupg.net’).
709
710
711       Please note that gpgsm accepts Root CA certificates for  its  own  pur‐
712       poses  only  if  they  are listed in its file ‘trustlist.txt’.  dirmngr
713       does not make use of this list - except FIXME.
714
715
716

NOTES

718       To be able to see diagnostics it is often useful to put  at  least  the
719       following lines into the configuration file ‘~/gnupg/dirmngr.conf’:
720
721         log-file ~/dirmngr.log
722         verbose
723
724       You  may  want to check the log file to see whether all desired root CA
725       certificates are correctly loaded.
726
727       To be able to perform OCSP requests you probably want to add the line:
728
729         allow-ocsp
730
731       To make sure that new options are read or that after  the  installation
732       of  a  new  GnuPG  versions  the  right dirmngr version is running, you
733       should kill an existing dirmngr so that a new instance  is  started  as
734       needed by the otehr components:
735
736         gpgconf --kill dirmngr
737
738       Direct interfaction with the dirmngr is possible by using the command
739
740         gpg-connect-agent --dirmngr
741
742       Enter  HELP at the prompt to see a list of commands and enter HELP fol‐
743       lowed by a command name to get help on that command.
744
745
746
747
748

SIGNALS

750       A running dirmngr may be controlled by signals,  i.e.  using  the  kill
751       command to send a signal to the process.
752
753       Here is a list of supported signals:
754
755
756
757       SIGHUP This  signal  flushes  all internally cached CRLs as well as any
758              cached certificates.  Then the certificate cache  is  reinitial‐
759              ized  as on startup.  Options are re-read from the configuration
760              file.  Instead of sending this signal it is better to use
761         gpgconf --reload dirmngr
762
763
764       SIGTERM
765              Shuts down the process but waits until all current requests  are
766              fulfilled.   If  the process has received 3 of these signals and
767              requests are still pending, a shutdown is forced.  You may  also
768              use
769         gpgconf --kill dirmngr
770       instead of this signal
771
772
773       SIGINT Shuts down the process immediately.
774
775
776
777       SIGUSR1
778              This prints some caching statistics to the log file.
779
780

SEE ALSO

782       gpgsm(1), dirmngr-client(1)
783
784       The full documentation for this tool is maintained as a Texinfo manual.
785       If GnuPG and the info program are properly installed at your site,  the
786       command
787
788         info gnupg
789
790       should  give  you access to the complete manual including a menu struc‐
791       ture and an index.
792
793
794
795
796
797GnuPG 2.3.8                       2022-10-07                        DIRMNGR(8)
Impressum