S/MIME certificates with LDAP-only CRL uri

Alexander Grahn a.grahn at web.de
Wed Feb 22 16:35:34 CET 2023


Hello,

recently I obtained a free certificate from DGN (German Health Net) for signing
e-mails. I imported the p12 file  with gpgsm into my keybox and added the
complete certificate chain to ~/.gnupg/trustlist.txt

When I try to sign or encrypt, I get the following error:

  $ gpgsm --armor --sign testfile.txt
  gpgsm: certificate not found: No public key
  gpgsm: certificate #410FE63506C68DDF/CN=dgnservice CA 2 Type E:PN,O=DGN Deutsches Gesundheitsnetz Service GmbH,C=DE
  gpgsm: checking the CRL failed: Not found
  gpgsm: error creating signature: Not found <GpgSM>

It only works if I disable CRL checking with option
--disable-crl-checks, which is not such a good idea, I guess.

The CA provides only an LDAP URI for getting the revocation list. Root and
intermediate certificates can be downloaded here:

  https://www.dgn.de/dgncert/downloads.html

`gpgsm --dump-chain' presents me the following URI:

crlDP: ldap://ldap.dgnservice.de:389/CN=CRL-1,O=DGN%20Service%20GmbH,C=DE?certificateRevocationList?base?objectClass=cRLDistributionPoint

Now my question is whether the LDAP server is down, the URI incomplete
or wrong, or whether the problem is on the GPG end. On the other hand,
I cannot imagine that a wrong LDAP URI remains unnoticed by non-GPG
users. I know nothing about ldap and how to test such an URI. What can I do?

I am using gnupg-2.4.0 and I double checked that it was compiled with
ldap support.

Alex



More information about the Gnupg-users mailing list