Dirmngr makes use of several directories when running in daemon mode:
This is the standard home directory for all configuration files.
This directory should be filled with certificates of Root CAs you are trusting in checking the CRLs and signing OCSP Responses.
Usually these are the same certificates you use with the applications
making use of dirmngr. It is expected that each of these certificate
files contain exactly one DER encoded certificate in a file
with the suffix .crt or .der.
those certificates on startup and when given a SIGHUP. Certificates
which are not readable or do not make up a proper X.509 certificate
are ignored; see the log file for details.
Applications using dirmngr (e.g. gpgsm) can request these certificates to complete a trust chain in the same way as with the extra-certs directory (see below).
Note that for OCSP responses the certificate specified using the option --ocsp-signer is always considered valid to sign OCSP requests.
This directory may contain extra certificates which are preloaded into the internal cache on startup. Applications using dirmngr (e.g. gpgsm) can request cached certificates to complete a trust chain. This is convenient in cases you have a couple intermediate CA certificates or certificates usually used to sign OCSP responses. These certificates are first tried before going out to the net to look for them. These certificates must also be DER encoded and suffixed with .crt or .der.
This directory is used to store cached CRLs. The crls.d part will be created by dirmngr if it does not exists but you need to make sure that the upper directory exists.
To be able to see what’s going on you should create the configure file ~/gnupg/dirmngr.conf with at least one line:
To be able to perform OCSP requests you probably want to add the line:
To make sure that new options are read and that after the installation of a new GnuPG versions the installed dirmngr is running, you may want to kill an existing dirmngr first:
gpgconf --kill dirmngr
You may check the log file to see whether all desired root certificates have been loaded correctly.