FAQ for Administrators

This list covers frequently asked questions from an administrator's perspective. For topics relevant to end users, please refer to the separate user FAQ.

Certificates/Public keys

Which S/MIME certificates are trusted, and how do I add root certificates?

GnuPG VS-Desktop® uses its own directory and a separate configuration for globally accepted X.509 certificates. This is due to certification requirements: for use at the VS-NfD level, only certificates from a PKI that meets the criteria of BSI TR-03145 "Secure CA Operation" may be used.

The default configuration includes several commonly approved certification authorities—such as the PCA-1-Verwaltung.


Why is a certificate shown as invalid even though its CA is trusted?

You've marked a root CA as trusted, but one of its intermediate CAs still isn't recognized as valid? In most cases, this happens because the certificate revocation list (CRL) can't be retrieved. That's typically the case on offline systems, but also in networks with strict filtering or proxy use.

To diagnose the issue, open a command prompt and run:

gpgsm --with-validation -k "CertificateID"

The output will point to the specific cause.

If your system accesses the internet through a proxy, you'll need to configure proxy settings in the Windows Registry for GnuPG VS-Desktop®:


If you're using GnuPG VS-Desktop® on an offline system and want to work with S/MIME certificates, go to S/MIME Validation in Kleopatra's settings and enable the option Never consult a CRL.

Important: To stay compliant with VS-NfD requirements, you must still perform revocation checks regularly on a system with internet access.

Miscellaneous Topics

Which settings can be changed by users?

During installation, configuration templates are stored in %ProgramData%\GNU\etc\gnupg\dirmngr.conf. These templates can be customized via the Windows Registry.

Some options in the templates are marked with [force]. This flag ensures that the corresponding settings cannot be modified by users. They will appear grayed out or be hidden entirely in Kleopatra.

Settings that users are allowed to change in the default configuration are marked with OPTION[user] on the page "Detailed Guide to VSD Registry Settings".

How does LDAP certificate lookup work with GnuPG?

GnuPG and its desktop variants support the use of LDAP directories with an OpenPGP schema for certificate lookup. This enables organizations to distribute certificates in a centralized and user-friendly way.

For setup and usage details, refer to the following guides: