catalog Info Catalog previous gnupg: Dirmngr LOOKUP up gnupg: Dirmngr Protocol next gnupg: Dirmngr CHECKCRL

gnupg: Dirmngr ISVALID

 
 3.6.2 Validate a certificate using a CRL or OCSP
 ------------------------------------------------
 
        ISVALID [--only-ocsp] [--force-default-responder] CERTID|CERTFPR
 
    Check whether the certificate described by the CERTID has been
 revoked.  Due to caching, the Dirmngr is able to answer immediately in
 most cases.
 
    The CERTID is a hex encoded string consisting of two parts, delimited
 by a single dot.  The first part is the SHA-1 hash of the issuer name
 and the second part the serial number.
 
    Alternatively the certificate's SHA-1 fingerprint CERTFPR may be
 given in which case an OCSP request is done before consulting the CRL.
 If the option '--only-ocsp' is given, no fallback to a CRL check will be
 used.  If the option '--force-default-responder' is given, only the
 default OCSP responder will be used and any other methods of obtaining
 an OCSP responder URL won't be used.
 
 Common return values are:
 
 'GPG_ERR_NO_ERROR (0)'
      This is the positive answer: The certificate is not revoked and we
      have an up-to-date revocation list for that certificate.  If OCSP
      was used the responder confirmed that the certificate has not been
      revoked.
 
 'GPG_ERR_CERT_REVOKED'
      This is the negative answer: The certificate has been revoked.
      Either it is in a CRL and that list is up to date or an OCSP
      responder informed us that it has been revoked.
 
 'GPG_ERR_NO_CRL_KNOWN'
      No CRL is known for this certificate or the CRL is not valid or out
      of date.
 
 'GPG_ERR_NO_DATA'
      The OCSP responder returned an "unknown" status.  This means that
      it is not aware of the certificate's status.
 
 'GPG_ERR_NOT_SUPPORTED'
      This is commonly seen if OCSP support has not been enabled in the
      configuration.
 
    If DirMngr has not enough information about the given certificate
 (which is the case for not yet cached certificates), it will inquire the
 missing data:
 
        S: INQUIRE SENDCERT <CertID>
        C: D <DER encoded certificate>
        C: END
 
    A client should be aware that DirMngr may ask for more than one
 certificate.
 
    If Dirmngr has a certificate but the signature of the certificate
 could not been validated because the root certificate is not known to
 dirmngr as trusted, it may ask back to see whether the client trusts
 this the root certificate:
 
        S: INQUIRE ISTRUSTED <CertHexfpr>
        C: D 1
        C: END
 
    Only this answer will let Dirmngr consider the certificate as valid.
catalog Info Catalog previous gnupg: Dirmngr LOOKUP up gnupg: Dirmngr Protocol next gnupg: Dirmngr CHECKCRL