Q: gpgsm says "Unsupported certificate"
Werner Koch
wk at gnupg.org
Thu Oct 6 14:03:24 CEST 2011
Hi,
given that you get the "Unsupported certifciate" error on all
certificates and that you don't see any more diagnostics, the
problem is in dirmngr:
log_error (_("critical certificate extension %s is not supported"),
oid);
rc = gpg_error (GPG_ERR_UNSUPPORTED_CERT);
I guess we should rework some diagnostics to also include the error
source in the text, so that you would seen:
[certificate is bad: Unsupported certificate (dirmngr)]
To workwround this problem you may use a dirmngr option:
@item --ignore-cert-extension @var{oid}
@opindex ignore-cert-extension
Add @var{oid} to the list of ignored certificate extensions. The
@var{oid} is expected to be in dotted decimal form, like
@code{2.5.29.3}. This option may be used more than once. Critical
flagged certificate extensions matching one of the OIDs in the list
are treated as if they are actually handled and thus the certificate
won't be rejected due to an unknown critical extension. Use this
option with care because extensions are usually flagged as critical
for a reason.
If you enable a dirmngr log file wou will notice the error shown above
which includes the OID of the extension. Add this extension to
/etc/dimngr/dirmngr.conf (if run as system services) or
~/.gnupg/dirmngr.conf (if run under user control).
Does this help?
BTW, to get a more detailed view of a certifciate, you may use
gpgsm --dump-cert USER_ID_ETC
Note that the dirmngr may use certificates which are not in GPGSM's
certificate store.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list