ISVALID [--only-ocsp] [--force-default-responder] certid|certfpr
Check whether the certificate described by the certid has been revoked. Due to caching, the Dirmngr is able to answer immediately in most cases.
The certid is a hex encoded string consisting of two parts, delimited by a single dot. The first part is the SHA-1 hash of the issuer name and the second part the serial number.
Alternatively the certificate's SHA-1 fingerprint certfpr may be given in which case an OCSP request is done before consulting the CRL. If the option --only-ocsp is given, no fallback to a CRL check will be used. If the option --force-default-responder is given, only the default OCSP responder will be used and any other methods of obtaining an OCSP responder URL won't be used.
Common return values are:
If DirMngr has not enough information about the given certificate (which is the case for not yet cached certificates), it will will inquire the missing data:
S: INQUIRE SENDCERT <CertID> C: D <DER encoded certificate> C: END
A client should be aware that DirMngr may ask for more than one certificate.
If Dirmngr has a certificate but the signature of the certificate could not been validated because the root certificate is not known to dirmngr as trusted, it may ask back to see whether the client trusts this the root certificate:
S: INQUIRE ISTRUSTED <CertHexfpr> C: D 1 C: END
Only this answer will let Dirmngr consider the certificate as valid.