Next: Dirmngr CHECKCRL, Previous: Dirmngr LOOKUP, Up: Dirmngr Protocol
Check whether the certificate described by the certificate_ID (which is a fingerprint) has been revoked. Due to caching, the Dirmngr is able to answer immediately in most cases:
S: OK
Yes, the certificate is not revoked and we have a up-to-date revocation list for that certificate.
S: E 301 certificate has been revoked
The client may then issue another command to retrieve information on the revocation reason.
S: E 302 no CRL known for this certificate
S: E 303 CRL is too old and a new one could not be retrieved
If the DirMngr has not enough information about the given certificate which is the case for not yet cached certificates because the clients only passes the CertID, the DirMngr will will inquire the missing data:
S: INQUIRE SENDCERT <CertID>
C: D <DER encoded certificate>
C: END
A client should be aware the the DirMngr may ask for more than one Certificate.
If the option --allow-ocsp is enabled, this command may
alternativly run an OCSP request. The client requests this by simply
using the fingerrpint instead of the certificate-id. There is no fall
back to CRL checking if the OCSP requests could not be done for
whatever reason.