HOME 19.2 Import Top 21 Known problems and help20 System-wide configuration and pre-population for S/MIME Contents German

20 System-wide configuration and pre-population for S/MIME

As part of a central software distribution or environments in which many users are working on one computer, it makes sense to set up some system-wide specifications and pre-populations for Gpg4win.

This relates particularly to S/MIME, because in the case of specified chains of trust it makes sense that users share the information.

Some typical system-wide settings include:

Trustworthy root certificates:

To avoid a situation where each user must search and install the required root certificates, and check and authenticate the trustworthiness of the same (see Section 22.7), it is useful to install a system-wide pre-population of the most important root certificates.

To this end, the root certificates should be saved - as described in Section 22.3 - and the trustworthy root certificates should be defined - as described in Section 22.6.

Directly available CA certificates:
To save users from searching and importing the certificates of certificate authorities, it also makes sense to pre-populate the system with the most important CA certificates. For a description, see Section 22.4.
Proxy for certificate server and certificate revocation list searches:

With respect to validity information, X.509 protocols offer different options. Most certification agencies publish certificate revocation lists (also described as CRLs , supported as per RFC5280) and OSCP (as per RFC2560). OSCP has more recent information, but with the disadvantage that network traffic occurs all the way to the OSCP service, and it is therefore possible to see with whom messages are being exchanged. GnuPG can work with both options; component "DirMngr" that runs as the system-wide service.

Internal networks cannot permit individual computers to directly connect to the outside (central firewall), but can provide an acting service, a so-called "proxy". DirMngr can also handle HTTP and LDAP proxies .

S/MIME certificates usually contain information on where your certificate revocation list can be picked up externally. Oftentimes it includes HTTP, but also directory services via LDAP. In contrast to OpenPGP, the client cannot pick where to pick up the certificate revocation list, but has to follow the available information. Since some certificates only provide certificate revocation lists via LDAP, it is necessary to allow both HTTP as well as LDAP queries to the outside. If possible, an acting service can ensure, at the content level, that only X.509 certificate revocation lists with correct information are transmitted.

If your network requires a proxy for the HTTP and HKP or LDAP queries required for OpenPGP or S/MIME, please follow these steps:

  1. Set the X.509 certificate server search to a proxy, as described in Section 22.5.
  2. Set the certificate revocation list search to a proxy, also described in Section 22.5.
  3. Restart the DirMngr (see Section 21.7).

© 31. August 2010, v3.0.0-beta1 (last minor changes from 21. September 2010)
The Gpg4win Compendium is filed under the GNU Free Documentation License v1.2.


HOME 19.2 Import Top 21 Known problems and help20 System-wide configuration and pre-population for S/MIME Contents German