Next: , Previous: Dirmngr LOOKUP, Up: Dirmngr Protocol


7.2 Validate a certificate using a CRL or OCSP

       ISVALID [--only-ocsp] [--force-default-responder] certid|certfpr

Check whether the certificate described by the certid has been revoked. Due to caching, the Dirmngr is able to answer immediately in most cases.

The certid is a hex encoded string consisting of two parts, delimited by a single dot. The first part is the SHA-1 hash of the issuer name and the second part the serial number.

Alternatively the certificate's SHA-1 fingerprint certfpr may be given in which case an OCSP request is done before consulting the CRL. If the option --only-ocsp is given, no fallback to a CRL check will be used. If the option --force-default-responder is given, only the default OCSP responder will be used and any other methods of obtaining an OCSP responder URL won't be used.

Common return values are:

GPG_ERR_NO_ERROR (0)
This is the positive answer: The certificate is not revoked and we have an up-to-date revocation list for that certificate. If OCSP was used the responder confirmed that the certificate has not been revoked.
GPG_ERR_CERT_REVOKED
This is the negative answer: The certificate has been revoked. Either it is in a CRL and that list is up to date or an OCSP responder informed us that it has been revoked.
GPG_ERR_NO_CRL_KNOWN
No CRL is known for this certificate or the CRL is not valid or out of date.
GPG_ERR_NO_DATA
The OCSP responder returned an “unknown” status. This means that it is not aware of the certificate's status.
GPG_ERR_NOT_SUPPORTED
This is commonly seen if OCSP support has not been enabled in the configuration.

If DirMngr has not enough information about the given certificate (which is the case for not yet cached certificates), it will will inquire the missing data:

       S: INQUIRE SENDCERT <CertID>
       C: D <DER encoded certificate>
       C: END

A client should be aware that DirMngr may ask for more than one certificate.