gnupg: Certificate Options
5.2.2 Certificate related options
---------------------------------
'--enable-policy-checks'
'--disable-policy-checks'
By default policy checks are enabled. These options may be used to
change it.
'--enable-crl-checks'
'--disable-crl-checks'
By default the CRL checks are enabled and the DirMngr is used to
check for revoked certificates. The disable option is most useful
with an off-line network connection to suppress this check and also
to avoid that new certificates introduce a web bug by including a
certificate specific CRL DP. The disable option also disables an
issuer certificate lookup via the authorityInfoAccess property of
the certificate; the '--enable-issuer-key-retrieve' can be used to
make use of that property anyway.
'--enable-trusted-cert-crl-check'
'--disable-trusted-cert-crl-check'
By default the CRL for trusted root certificates are checked like
for any other certificates. This allows a CA to revoke its own
certificates voluntary without the need of putting all ever issued
certificates into a CRL. The disable option may be used to switch
this extra check off. Due to the caching done by the Dirmngr,
there will not be any noticeable performance gain. Note, that this
also disables possible OCSP checks for trusted root certificates.
A more specific way of disabling this check is by adding the
"relax" keyword to the root CA line of the 'trustlist.txt'
'--force-crl-refresh'
Tell the dirmngr to reload the CRL for each request. For better
performance, the dirmngr will actually optimize this by suppressing
the loading for short time intervals (e.g. 30 minutes). This
option is useful to make sure that a fresh CRL is available for
certificates hold in the keybox. The suggested way of doing this
is by using it along with the option '--with-validation' for a key
listing command. This option should not be used in a configuration
file.
'--enable-issuer-based-crl-check'
Run a CRL check even for certificates which do not have any CRL
distribution point. This requires that a suitable LDAP server has
been configured in Dirmngr and that the CRL can be found using the
issuer. This option reverts to what GnuPG did up to version
2.2.20. This option is in general not useful.
'--enable-ocsp'
'--disable-ocsp'
By default OCSP checks are disabled. The enable option may be used
to enable OCSP checks via Dirmngr. If CRL checks are also enabled,
CRLs will be used as a fallback if for some reason an OCSP request
will not succeed. Note, that you have to allow OCSP requests in
Dirmngr's configuration too (option '--allow-ocsp') and configure
Dirmngr properly. If you do not do so you will get the error code
'Not supported'.
'--auto-issuer-key-retrieve'
If a required certificate is missing while validating the chain of
certificates, try to load that certificate from an external
location. This usually means that Dirmngr is employed to search
for the certificate. Note that this option makes a "web bug" like
behavior possible. LDAP server operators can see which keys you
request, so by sending you a message signed by a brand new key
(which you naturally will not have on your local keybox), the
operator can tell both your IP address and the time when you
verified the signature.
'--validation-model NAME'
This option changes the default validation model. The only
possible values are "shell" (which is the default), "chain" which
forces the use of the chain model and "steed" for a new simplified
model. The chain model is also used if an option in the
'trustlist.txt' or an attribute of the certificate requests it.
However the standard model (shell) is in that case always tried
first.
'--ignore-cert-extension OID'
Add OID to the list of ignored certificate extensions. The OID is
expected to be in dotted decimal form, like '2.5.29.3'. This
option may be used more than once. Critical flagged certificate
extensions matching one of the OIDs in the list are treated as if
they are actually handled and thus the certificate will not be
rejected due to an unknown critical extension. Use this option
with care because extensions are usually flagged as critical for a
reason.