Dirmngr Configuration - Using the GNU Privacy Guard

Next: Dirmngr Signals, Previous: Dirmngr Options, Up: Invoking DIRMNGR

3.3 Configuration

Dirmngr makes use of several directories when running in daemon mode:

/etc/gnupg: This is where all the configuration files are expected by default.
/etc/gnupg/trusted-certs: This directory should be filled with certificates of Root CAs you are trusting in checking the CRLS and signing OCSP Reponses. Usually these are the same certificates you use with the applications making use of dirmngr. It is expected that each of these certificate files contain exactly one DER encoded certificate in a file with the suffix .crt or .der. dirmngr reads those certificates on startup and when given a SIGHUP. Certificates which are not readable or do not make up a proper X.509 certificate are ignored; see the log file for details.
Note that for OCSP responses the certificate specified using the option --ocsp-signer is always considered valid to sign OCSP requests.
/var/lib/gnupg/extra-certs: This directory may contain extra certificates which are preloaded into the interal cache on startup. This is convenient in cases you have a couple intermediate CA certificates or certificates ususally used to sign OCSP reponses. These certificates are first tried before going out to the net to look for them. These certificates must also be DER encoded and suffixed with .crt or .der.
/var/run/gnupg: This directory keeps the socket file for accsing dirmngr services. The name of the socket file will be S.dirmngr. Make sure that this directory has the proper permissions to let dirmngr create the socket file and that eligible users may read and write to that socket.
/var/cache/gnupg/crls.d: This directory is used to store cached CRLs. The crls.d part will be created by dirmngr if it does not exists but you need to make sure that the upper directory exists.

To be able to see what's going on you should create the configure file /etc/dirmngr/dirmngr.conf with at least one line:

     log-file /var/log/gnupg/dirmngr.log

To be able to perform OCSP requests you probably want to add the line:

     allow-ocsp

Now you may start dirmngr as a system daemon using:

     dirmngr --daemon

Please ignore the output; it is not needed anymore. Check the log file to see whether all trusted root certificates have been loaded correctly.