gpgsm certificate validity

yyy yyy at yyy.id.lv
Mon Aug 22 18:05:07 CEST 2011


On 2011.08.22. 17:31, Werner Koch wrote:
> On Mon, 22 Aug 2011 15:27, yyy at yyy.id.lv said:
>
>> This certificate does not have  BasicConstraints, maybe this is a cause
>> of error?
> Quite likely.  That is required for CA certifciates.
>
>> Is it possible to override check for BasicConstraints? Is it a bug?
> Try adding the relax keyword to the entry in ~/.gnuypg/trustlist.txt .
>
That eventually fixed it. Thanks. There were some errors, along the way,
though:

Trustlist.txt initially contained only hash of second certificate (with
BasicConstraints). Added hash of other certificate (the one without
BasicConstraints) and now on ALL certificates gpgsm -k --with-validation
--disable-crl-checks
produces error [certificate is bad: Line too long]. In this case, first
line in trustlist.txt was for second certificate in keyring and second
line was for first certificate in keyring. Swapping these lines in
trustlist.txt, fixed it.

So, order of certificate hashes, relative of certificate order in
keyring, is critically important?




More information about the Gnupg-users mailing list