S/MIME certificates with LDAP-only CRL uri
Alexander Grahn
a.grahn at web.de
Wed Feb 22 16:35:34 CET 2023
Hello,
recently I obtained a free certificate from DGN (German Health Net) for signing
e-mails. I imported the p12 file with gpgsm into my keybox and added the
complete certificate chain to ~/.gnupg/trustlist.txt
When I try to sign or encrypt, I get the following error:
$ gpgsm --armor --sign testfile.txt
gpgsm: certificate not found: No public key
gpgsm: certificate #410FE63506C68DDF/CN=dgnservice CA 2 Type E:PN,O=DGN Deutsches Gesundheitsnetz Service GmbH,C=DE
gpgsm: checking the CRL failed: Not found
gpgsm: error creating signature: Not found <GpgSM>
It only works if I disable CRL checking with option
--disable-crl-checks, which is not such a good idea, I guess.
The CA provides only an LDAP URI for getting the revocation list. Root and
intermediate certificates can be downloaded here:
https://www.dgn.de/dgncert/downloads.html
`gpgsm --dump-chain' presents me the following URI:
crlDP: ldap://ldap.dgnservice.de:389/CN=CRL-1,O=DGN%20Service%20GmbH,C=DE?certificateRevocationList?base?objectClass=cRLDistributionPoint
Now my question is whether the LDAP server is down, the URI incomplete
or wrong, or whether the problem is on the GPG end. On the other hand,
I cannot imagine that a wrong LDAP URI remains unnoticed by non-GPG
users. I know nothing about ldap and how to test such an URI. What can I do?
I am using gnupg-2.4.0 and I double checked that it was compiled with
ldap support.
Alex
More information about the Gnupg-users
mailing list