[Gpg4win-devel] X509 Root certificates and trusting them
Bernhard Reiter
bernhard at intevation.de
Tue Jun 29 11:23:38 CEST 2010
Am Freitag, 21. Mai 2010 12:03:22 schrieb Bernhard Reiter:
> The recommended way for a
> production X509 /CMS system is that a list of trusted X509 root
> certificates is maintained by the administrator of the system
> directly for dirmngr and possibly the global gpgsm.
For gpgsm to be able to use certificates,
you need to have the full validated chain of certificates.
Especially for the root certificate, the person administrating
the machines (e.g. you) must ensure three conditions are given.
(Paths examples for GNU systems,
the paths will be different for Mac OS or Windows.)
a) You need to have the root certificate and be sure that the fil is
the root certificate you would like to trust. You need to do this
best at installation time - as in the heat of the moment users will
go along with everthing just to get the task done.
b) Make sure dirmngr trusts the root certificate.
info dirmngr Installation
konqueror info:/dirmngr/Installation
http://gnupg.org/documentation/manuals/dirmngr/Installation.html
In short, recommended is to put it as .der file
in /etc/dirmngr/trusted-certs and restart the dirmngr service.
Live might be easier if users have "prefer-system-dirmngr" in their local
gpgsm.conf (Usually ~/.gnupg/gpgsm.conf).
c) Make sure gpg-agent trusts the root certificate
Recommended way is to do this system wide:
c.1) Place the right line in /etc/gnupg/trustlist.txt
References:
Existence of configuration file:
info gnupg2 Installation
konqueror info:/gnupg2/Installation
http://gnupg.org/documentation/manuals/gnupg/Installation.html
Format of trustlist.txt:
info gnupg2 "Invoking GPG-AGENT" "Agent Configuration"
konqueror info:/gnupg2/Agent Configuration
http://gnupg.org/documentation/manuals/gnupg/Agent-Configuration.html
c.2) Make sure all users have "include-default" in their personal
trustlist.txt. Usually ~/.gnupg/trustlist.txt.
I guess all gpg-agent s will need a kick after the trustlist.txt change.
Try sending a SIGHUP to all gpg-agent processes, e.g.
killall -SIGHUP gpg-agent
In order to update all users private configuration files at once,
you can try using Gnupg's helper application called
applygnupgdefaults
Documentation starts here:
info gnupg2 "Helper Tools" applygnupgdefaults
konqueror info:/gnupg2/applygnupgdefaults
http://gnupg.org/documentation/manuals/gnupg/applygnupgdefaults.html
Hints for reading the documentation:
Using the documentation of your installed version is prefered,
because it might be more correct regarding on your installation.
Use the command line "info", if you are familiar with it.
It will be installed on many GNU systems. There are other textinfo console
viewers of course like tkman or pinfo.
If you have konqueror installed using "info:gnupg2" as URL will also work,
using the script /usr/share/apps/kio_info/kde-info2html which on Debian Lenny
comes with the kdebase-kio-plugins package. I usually prefer this.
Best,
Bernhard
--
Managing Director - Owner: www.intevation.net (Free Software Company)
Deputy Coordinator Germany: fsfe.org. Board member: www.kolabsys.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3696 bytes
Desc: not available
URL: </pipermail/attachments/20100629/d3e05e6d/attachment-0001.bin>
More information about the Gnupg-devel
mailing list