Q: gpgsm says "Unsupported certificate"

Werner Koch wk at gnupg.org
Thu Oct 6 14:03:24 CEST 2011


given that you get the "Unsupported certifciate" error on all
certificates and that you don't see any more diagnostics, the
problem is in dirmngr:

          log_error (_("critical certificate extension %s is not supported"),
          rc = gpg_error (GPG_ERR_UNSUPPORTED_CERT);

I guess we should rework some diagnostics to also include the error
source in the text, so that you would seen:

     [certificate is bad: Unsupported certificate (dirmngr)]

To workwround this problem you may use a dirmngr option:

  @item --ignore-cert-extension @var{oid}
  @opindex ignore-cert-extension
  Add @var{oid} to the list of ignored certificate extensions.  The
  @var{oid} is expected to be in dotted decimal form, like
  @code{}.  This option may be used more than once.  Critical
  flagged certificate extensions matching one of the OIDs in the list
  are treated as if they are actually handled and thus the certificate
  won't be rejected due to an unknown critical extension.  Use this
  option with care because extensions are usually flagged as critical
  for a reason.

If you enable a dirmngr log file wou will notice the error shown above
which includes the OID of the extension.  Add this extension to
/etc/dimngr/dirmngr.conf (if run as system services) or
~/.gnupg/dirmngr.conf (if run under user control).

Does this help?

BTW, to get a more detailed view of a certifciate, you may use

  gpgsm --dump-cert USER_ID_ETC

Note that the dirmngr may use certificates which are not in GPGSM's
certificate store.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list