FAQ for Administrators
This list covers frequently asked questions from an administrator's perspective. For topics relevant to end users, please refer to the separate user FAQ.
Certificates/Public keys
Which S/MIME certificates are trusted, and how do I add root certificates?
GnuPG VS-Desktop® uses its own directory and a separate configuration for globally accepted X.509 certificates. This is due to certification requirements: for use at the VS-NfD level, only certificates from a PKI that meets the criteria of BSI TR-03145 "Secure CA Operation" may be used.
The default configuration includes several commonly approved certification authorities—such as the PCA-1-Verwaltung.
Why is a certificate shown as invalid even though its CA is trusted?
You've marked a root CA as trusted, but one of its intermediate CAs still isn't recognized as valid? In most cases, this happens because the certificate revocation list (CRL) can't be retrieved. That's typically the case on offline systems, but also in networks with strict filtering or proxy use.
To diagnose the issue, open a command prompt and run:
gpgsm --with-validation -k "CertificateID"
The output will point to the specific cause.
If your system accesses the internet through a proxy, you'll need to configure proxy settings in the Windows Registry for GnuPG VS-Desktop®:
If you're using GnuPG VS-Desktop® on an offline system and want to work with S/MIME certificates, go to S/MIME Validation in Kleopatra's settings and enable the option Never consult a CRL.
Important: To stay compliant with VS-NfD requirements, you must still perform revocation checks regularly on a system with internet access.
Miscellaneous Topics
Which settings can be changed by users?
During installation, configuration templates are stored in
%ProgramData%\GNU\etc\gnupg\dirmngr.conf
. These templates can be
customized via the Windows Registry.
Some options in the templates are marked with [force]
. This flag ensures
that the corresponding settings cannot be modified by users. They will
appear grayed out or be hidden entirely in Kleopatra.
Settings that users are allowed to change in the default configuration are marked with OPTION[user] on the page "Detailed Guide to VSD Registry Settings".
How does LDAP certificate lookup work with GnuPG?
GnuPG and its desktop variants support the use of LDAP directories with an OpenPGP schema for certificate lookup. This enables organizations to distribute certificates in a centralized and user-friendly way.
For setup and usage details, refer to the following guides:
- How to use LDAP with GnuPG explains how to configure an OpenLDAP server on Linux and provides additional guidance on using LDAP with GnuPG.
- How to install an LDS for use with GnuPG (VS-)Desktop® describes how to set up a Microsoft Windows LDS as a keyserver, along with the required client configuration for GnuPG (VS-)Desktop®.