dirmngr-client - tests a certificate against a CRL

dirmngr-client [options] [certfile | pattern]

The dirmngr-client is a simple tool to contact a running dirmngr and test whether a certificate has been revoked -- either by being listed in the corresponding CRL or by running the OCSP protocol. If no dirmngr is running, a new instances will be started but this is in general not a good idea due to the huge performance overhead.

The usual way to run this tool is either

dirmngr-client acert

or

dirmngr-client <acert

where acert is one DER encoded (binary) X.509 certificate to be tested.

0

The certificate under question is valid; i.e., there is a valid CRL available, and it is not listed there, or the OCSP request returned that the certificate is valid.

1

The certificate has been revoked.

2 (and other values)

There was a problem checking the revocation state of the certificate. A message to stderr has given more detailed information. Most likely this is due to a missing or tool old CRL or a network problem.

--version

Print the program version and licensing information. Note that you cannot abbreviate this command.

--help, -h

Print a usage message summarizing the most useful command-line options. Note that you cannot abbreviate this command.

--quiet, -q

Make the output extra brief by suppressing any informational messages.

--verbose, -v

Outputs additional information while running. You can increase the verbosity by giving several verbose commands to dirmngr-client, such as -vv.

--pem

Assume that the given certificate is in PEM (armored) format.

--ocsp

Do the check using the COSP protocol and ignore any CRLs.

--ping

Check whether the dirmngr daemon is up and running.

--cache-cert

Put the given certificate into the cache of a running dirmngr. This is mainly useful for debugging.

--validate

Validate the given certificate using dirmngr's internal validation code. This is mainly useful for debugging.

--load-crl

This command expects a list of filenames with DER encoded CRL files. All CRL will be validated and then loaded into dirmngr's cache.

--lookup

Take the remaining arguments and run a lookup command on each of them. The results are Base-64 encoded outputs (without header lines). This may be used to retrieve certificates from a server. However the output format is not very well suited if more than one certificate is returned.

--squid-mode

Run dirmngr-client in a mode suitable as a helper program for Squid's external_acl_type option.

dirmngr-client was written by g10 Code GmbH and Klar[:a]lvdalens Datakonsult AB. Please report bugs to <gpa-dev@gnupg.org>. This manual page was transcribed from the Texinfo documentation by Peter Eisentraut.

dirmngr(1), gpgsm(1)

The full documentation for dirmngr-client is maintained as a Texinfo manual. If the info and dirmngr-client programs are properly installed at your site, the command

info dirmngr

should give you access to the complete manual.