gpgsm certificate validity
yyy
yyy at yyy.id.lv
Mon Aug 22 15:27:45 CEST 2011
On 2011.08.22. 15:18, yyy wrote:
> On 2011.08.22. 15:03, Werner Koch wrote:
>> On Mon, 22 Aug 2011 11:07, yyy at yyy.id.lv said:
>>
>>> How to verify if a certificate (in keyring) is valid?
>> gpgsm -k --with-validation USERID
>>
>> without USERID all certifciates are validated. In case you want to skip
>> CRL checks, add the option --disable-crl-checks.
> This produced error:
> [certificate is bad: No value]
> Rest of data about certificate, were fine (ID, S/N, Issuer, Subject,
> validity, key type, chain length, fingerprint)
>
> What does it means? Attempts to encrypt to this USERID also produced
> error "No value"
Few more updates.
If using gpgsm -k --with-validation
(without providing an USERID), it also provides
fingerprint: 81:4A:73:CC:AB:BC:41:Dgpgsm: dirmngr cache-only key
lookup failed
: Not found
3:D7:99:0F:A3:C0:75:AB:E0:D5:6C:AE:DD
That certificate is a self signed certificate and it seems, that gpgsm
is trying to find it in some external file (not in keyring)
In addition to --with-validation, used --disable-crl-checks,
--disable-policy-checks, but these did not change anything
Also, searching google for "[certificate is bad: No value]", produced
one result from this list, from 2006
http://lists.gnupg.org/pipermail/gnupg-devel/2006-September/023160.html
(google result)
further in that thread, there were a message
http://lists.gnupg.org/pipermail/gnupg-devel/2006-September/023175.html
This certificate does not have BasicConstraints, maybe this is a cause
of error?
Imported another root certificate, this had BasicConstraints set, import
of it went differently,
there were popup asking if i want to trust it (when importing first
certificate, it did not ask anything)
For that certificate, gpgsm -k --with-validation --disable-crl-checks
went without errors
Encryption using such IDs, worked.
So, the main problem seems to be (lack of) presence of BasicConstraints
in certificate.
Is it possible to override check for BasicConstraints? Is it a bug?
--ignore-cert-extensions <> cannot be used, because the problem is lack
of presence of extension, not presence of extension.
More information about the Gnupg-users
mailing list