HOME 21.9 S/MIME operations not allowed (root certificate is not trustworthy) Top 23 Detecting problems in Gpg4win programs (log files)22 Files and settings in Gpg4win Contents German

22 Files and settings in Gpg4win

22.1 Personal user settings

The personal settings for each user are found in the file folder:
%APPDATA%\gnupg
Often, this is the following folder:
C:\Documents and settings\<name>\Application data\gnupg\

Please note that this is a hidden file folder. To make it visible, you have to activate the option Show all files and folders under the group Hidden files and folders in the tab View of the Explorer Extras -> Folder options menu

This file folder contains all personal GnuPG data, hence private keys, certificates, trust settings and configurations. This folder is not deleted when Gpg4win is uninstalled. Please ensure that you make regular backup copies of this folder.

22.2 Cached certificate revocation lists

The system-wide service Mngr (Directory Manager) also checks whether an X.509 certificate is blocked and can therefore not be used. To this end, certificate revocation lists (CRLs) are picked up from the issuing offices for the certificates (CAs) and cached for the duration of the validity period.

The lists are saved under:
C:\Documents and Settings\LocalService\Lokale Settings\Application data\GNU\cache\dirmngr\crls.d\

These are protected files, which Explorer does not display by default. However, if you wish to show these files, deactivate the option Hide protected system files in the Window Explorer View settings.

No changes should be made to this file folder.

22.3 Trustworthy root certificates from DirMngr

For a full review of X.509 certificates, you must trust the root certificates which were used to sign the revocation lists.

The root certificates which the DirMngr should trust across the entire system when performing its checks are stored in the following file folder:

C:\Documents and settings\All Users\Application data\GNU\etc\dirmngr\trusted-certs\

 

Important: The corresponding root certificates must be available as files in DER format in the above file folder, with the file name .crt or .der.

The DirMngr runs as a system-wide service and must be restarted if changes have been made to the "trusted certs" file folder. Afterwards, the root certificates saved in this folder are set to trustworthy for all users.

Please also see Section 22.6 in order to completely trust root certificates (system-wide).

22.4 Other certificates from DirMngr

Since the X.509 certificate chain must be checked prior to a cryptography operation, the corresponding certificate of the authentication instance ("Certificate Authority", CA) must also be checked.

For immediate availability, CA certificates can be saved in this (system-wide) file folder:
C:\Documents and settings\All Users\Application data\GNU\lib\dirmngr\extra-certs\

Certificates that are not available here and/or not available from users must automatically be loaded by X.509 certificate servers.
These CA certificates can also be imported manually by a user however.

It makes sense to store the most important CA certificates in this folder as part of system-wide specifications.

22.5 System-wide configuration for use of external X.509 certificate servers

GnuPG can be configured in such a way that allows the system to search for missing X.509 certificates or certificate revocation lists on external X.509 certificate servers (see also Chapter  20).
To conduct a X.509 certificate search, the system service DirMngr uses a list of certificate servers which can be entered in the file
C:\Documents and settings\All Users\Application data\GNU\etc\dirmngr\ldapservers.conf
These certificate servers are used for all users (system-wide). In addition, users can also set up additional user-specific certificate servers for certificate searches - e.g. directly via Kleopatra (see Chapter 16.1).

The exact syntax for certificate server entries in the aforementioned configuration file is as follows:

HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN

If access to external X.509 certificate servers is blocked by firewalls in the internal network, it is also possible to configure a proxy service in ldapservers.conf for transmitting the certificate search, as illustrated in the following sample line:

proxy.mydomain.example:389:::O=myorg,C=de
With respect to a search of Certificate Revocation Lists (CRLs), the same directory contains a configuration file from:

C:\Documents and settings\All Users\Application data\GNU\etc\dirmngr\dirmngr.conf

Please note that only administrators can write in this file.

You can add the following proxy options to this configuration file (each option in a row):

  • http-proxy HOST[:PORT] This option uses HOST und PORT for accessing the certificate server. The environment variable http_proxy will be overwritten if this option is activated.

    Example:
    http-proxy http://proxy.mydomain.example:8080

  • ldap-proxy HOST[:PORT] This option uses HOST und PORT for accessing the certificate server. If no port number is listed, the standard LDAP port 389 will be used. This option will overwrite the LDAP URL contained in the certificate, or will use HOST andPORTif no LDAP URL has been entered.
  • only-ldap-proxy This option ensures that DirMngr only uses the proxy configured under ldap-proxy. Because otherwise DirMngr will try to use other configured certificate servers, if the connection via ldap-proxy is not successful.

22.6 System-wide trustworthy root certificates

The pre-populated root certificates which are deemed as trustworthy for the entire system are defined in the
C:\Documents and settings\All Users\Application data\GNU\etc\gnupg\trustlist.txt file.

To mark a root certificate as trustworthy, the corresponding fingerprint of the certificate, followed by an empty space and a large S must be entered into the above file. A certificate is explicitly marked as not trustworthy if the row beings with the prefix "!". You can also enter multiple root certificates. In that case, please ensure that each fingerprint is located in a new row. A row that begins with # will be treated as a comment and ignored.

Important: The end of the file must be followed by an empty row.

An example:

# CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
A6935DD34EF3087973C706FC311AA2CCF733765B S

# CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE
DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S

# CN=Root-CA/O=Schlapphuete/L=Pullach/C=DE
!14:56:98:D3:FE:9C:CA:5A:31:6E:BC:81:D3:11:4E:00:90:A3:44:C2 S

In some cases it is useful to reduce the criteria for checking the root certificate. To do this, you can set an additional flag relax after the S: <FINGERPRINT> S relax

Important: Using relax reduces the level of security, so it needs to be decided on a case-by-case basis and should only be used in the case of problems.

For more details, see current GnuPG documentation (item "trustlist.txt"):
http://www.gnupg.org/documentation/manuals/gnupg/Agent-Configuration.html

Therefore the exact syntax for entries in trustlist.txt is as follows:
[!]<FINGERABDRUCK> S [relax]
whereby ! and relax are optional.

Instead of the flag S, the values P and * are also provided, which are reserved for future use.

Important: To fully mark root certificates as trustworthy in Kleopatra (certificate is highlighted in blue), the root certificates must also be stored for the DirMngr, as described in Section 22.3.

22.7 User marking of trustworthiness of root certificates

Root certificates can also be marked as trustworthy by individual users - this means that a system-wide configuration (see Section 22.3 and 22.6) is then not required.

Open the Kleopatra menu Settings -> Configure Kleopatra and then the groupo S/MIME check. Then activate the option Allow root certificates to be marked trustworthy. Now, if you are using a root certificate that has not been previously marked as trustworthy, the system will ask you whether you wish to classify it as trustworthy. Please ensure that the gpg-agent may have to be restarted before a change takes effect (e.g. by logging in and out).

The root certificates which you have marked as trustworthy (or explicitly marked as non-trustworthy) are automatically stored in the following file:
C:\Dokumente und Einstellungen\<Nutzername>\Application data\gnupg\trustlist.txt

The same syntax applies to trustlist.txt as described in Section  22.6.


© 31. August 2010, v3.0.0-beta1 (last minor changes from 21. September 2010)
The Gpg4win Compendium is filed under the GNU Free Documentation License v1.2.


HOME 21.9 S/MIME operations not allowed (root certificate is not trustworthy) Top 23 Detecting problems in Gpg4win programs (log files)22 Files and settings in Gpg4win Contents German