4.2.2 Certificate related options
- By default policy checks are enabled. These options may be used to
- By default the CRL checks are enabled and the DirMngr is used
to check for revoked certificates. The disable option is most useful
with an off-line network connection to suppress this check.
- By default the CRL for trusted root certificates are checked
like for any other certificates. This allows a CA to revoke its own
certificates voluntary without the need of putting all ever issued
certificates into a CRL. The disable option may be used to switch this
extra check off. Due to the caching done by the Dirmngr, there will not be
any noticeable performance gain. Note, that this also disables possible
OCSP checks for trusted root certificates. A more specific way of
disabling this check is by adding the “relax” keyword to the root CA
line of the trustlist.txt
- Tell the dirmngr to reload the CRL for each request. For better
performance, the dirmngr will actually optimize this by suppressing
the loading for short time intervals (e.g. 30 minutes). This option
is useful to make sure that a fresh CRL is available for certificates
hold in the keybox. The suggested way of doing this is by using it
along with the option --with-validation for a key listing
command. This option should not be used in a configuration file.
- By default OCSP checks are disabled. The enable option may
be used to enable OCSP checks via Dirmngr. If CRL checks
are also enabled, CRLs will be used as a fallback if for some reason an
OCSP request will not succeed. Note, that you have to allow OCSP
requests in Dirmngr's configuration too (option
--allow-ocsp) and configure Dirmngr properly. If you do not do
so you will get the error code ‘Not supported’.
- If a required certificate is missing while validating the chain of
certificates, try to load that certificate from an external location.
This usually means that Dirmngr is employed to search for the
certificate. Note that this option makes a "web bug" like behavior
possible. LDAP server operators can see which keys you request, so by
sending you a message signed by a brand new key (which you naturally
will not have on your local keybox), the operator can tell both your IP
address and the time when you verified the signature.
- This option changes the default validation model. The only possible
values are "shell" (which is the default), "chain" which forces the
use of the chain model and "steed" for a new simplified model. The
chain model is also used if an option in the trustlist.txt or
an attribute of the certificate requests it. However the standard
model (shell) is in that case always tried first.
- Add oid to the list of ignored certificate extensions. The
oid is expected to be in dotted decimal form, like
188.8.131.52. This option may be used more than once. Critical
flagged certificate extensions matching one of the OIDs in the list
are treated as if they are actually handled and thus the certificate
will not be rejected due to an unknown critical extension. Use this
option with care because extensions are usually flagged as critical
for a reason.