22 Files and settings in Gpg4win | Contents |
The personal settings for each user are found in the file folder:
%APPDATA%\gnupg
Often, this is the following folder:
C:\Documents and
settings\<name>\Application data\gnupg\
Please note that this is a hidden file folder. To make it visible, you have to activate the option Show all files and folders under the group Hidden files and folders in the tab View of the Explorer Extras -> Folder options menu
This file folder contains all personal GnuPG data, hence private keys, certificates, trust settings and configurations. This folder is not deleted when Gpg4win is uninstalled. Please ensure that you make regular backup copies of this folder.
The system-wide service Mngr (Directory Manager) also checks whether an X.509 certificate is blocked and can therefore not be used. To this end, certificate revocation lists (CRLs) are picked up from the issuing offices for the certificates (CAs) and cached for the duration of the validity period.
The lists are saved under:
C:\Documents and
Settings\LocalService\Lokale Settings\Application
data\GNU\cache\dirmngr\crls.d\
These are protected files, which Explorer does not display by default. However, if you wish to show these files, deactivate the option Hide protected system files in the Window Explorer View settings.
No changes should be made to this file folder.
For a full review of X.509 certificates, you must trust the root certificates which were used to sign the revocation lists.
The root certificates which the DirMngr should trust across the entire system when performing its checks are stored in the following file folder:
C:\Documents and settings\All Users\Application data\GNU\etc\dirmngr\trusted-certs\
Important: The corresponding root certificates must be
available as files in DER format in the above file folder, with the
file name .crt or .der.
The DirMngr runs as a system-wide service and must be restarted if changes have been made to the "trusted certs" file folder. Afterwards, the root certificates saved in this folder are set to trustworthy for all users.
Please also see Section 22.6 in order to completely trust root certificates (system-wide).
Since the X.509 certificate chain must be checked prior to a cryptography operation, the corresponding certificate of the authentication instance ("Certificate Authority", CA) must also be checked.
For immediate availability, CA certificates can be saved in this
(system-wide) file folder:
C:\Documents and settings\All
Users\Application data\GNU\lib\dirmngr\extra-certs\
Certificates that are not available here and/or not available from
users must automatically be loaded by X.509 certificate servers.
These CA certificates can also be imported manually by a user however.
It makes sense to store the most important CA certificates in this folder as part of system-wide specifications.
GnuPG can be configured in such a way that allows the system to search
for missing X.509 certificates or certificate revocation lists on
external X.509 certificate servers (see also Chapter
20).
To conduct a X.509 certificate search, the system service
DirMngr uses a list of certificate servers which can be entered in the
file
C:\Documents and settings\All
Users\Application data\GNU\etc\dirmngr\ldapservers.conf
These certificate servers are used for all users (system-wide). In
addition, users can also set up additional user-specific certificate
servers for certificate searches - e.g. directly via Kleopatra (see
Chapter 16.1).
The exact syntax for certificate server entries in the aforementioned configuration file is as follows:
HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN
If access to external X.509 certificate servers is blocked by firewalls in the internal network, it is also possible to configure a proxy service in ldapservers.conf for transmitting the certificate search, as illustrated in the following sample line:
proxy.mydomain.example:389:::O=myorg,C=de
With respect to a search of Certificate Revocation
Lists (CRLs), the same directory
contains a configuration file from:
C:\Documents and settings\All Users\Application data\GNU\etc\dirmngr\dirmngr.conf
Please note that only administrators can write in this file.
You can add the following proxy options to this configuration file (each option in a row):
Example:
http-proxy http://proxy.mydomain.example:8080
The pre-populated root certificates which are deemed as trustworthy
for the entire system are defined in the
C:\Documents and settings\All Users\Application data\GNU\etc\gnupg\trustlist.txt file.
To mark a root certificate as trustworthy, the corresponding fingerprint of the certificate, followed by an empty space and a large S must be entered into the above file. A certificate is explicitly marked as not trustworthy if the row beings with the prefix "!". You can also enter multiple root certificates. In that case, please ensure that each fingerprint is located in a new row. A row that begins with # will be treated as a comment and ignored.
Important: The end of the file must be followed by an empty row.
An example:
# CN=Wurzel ZS 3,O=Intevation GmbH,C=DE A6935DD34EF3087973C706FC311AA2CCF733765B S # CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S # CN=Root-CA/O=Schlapphuete/L=Pullach/C=DE !14:56:98:D3:FE:9C:CA:5A:31:6E:BC:81:D3:11:4E:00:90:A3:44:C2 S
In some cases it is useful to reduce the criteria for checking the root certificate. To do this, you can set an additional flag relax after the S: <FINGERPRINT> S relax
Important: Using relax reduces the level of security, so it needs to be decided on a case-by-case basis and should only be used in the case of problems.
For more details, see current GnuPG documentation (item "trustlist.txt"):
http://www.gnupg.org/documentation/manuals/gnupg/Agent-Configuration.html
Therefore the exact syntax for entries in trustlist.txt is as follows:
[!]<FINGERABDRUCK> S [relax]
whereby ! and relax are optional.
Instead of the flag S, the values P and * are also provided, which are reserved for future use.
Important: To fully mark root certificates as trustworthy in Kleopatra (certificate is highlighted in blue), the root certificates must also be stored for the DirMngr, as described in Section 22.3.
Root certificates can also be marked as trustworthy by individual users - this means that a system-wide configuration (see Section 22.3 and 22.6) is then not required.
Open the Kleopatra menu Settings -> Configure Kleopatra and then the groupo S/MIME check. Then activate the option Allow root certificates to be marked trustworthy. Now, if you are using a root certificate that has not been previously marked as trustworthy, the system will ask you whether you wish to classify it as trustworthy. Please ensure that the gpg-agent may have to be restarted before a change takes effect (e.g. by logging in and out).
The root certificates which you have marked as trustworthy (or
explicitly marked as non-trustworthy) are automatically stored in the
following file:
C:\Dokumente und
Einstellungen\<Nutzername>\Application data\gnupg\trustlist.txt
The same syntax applies to trustlist.txt as described in Section 22.6.
© 31. August 2010, v3.0.0-beta1 (last minor changes from 21. September 2010)
The Gpg4win Compendium is filed under the
GNU Free Documentation License v1.2.
22 Files and settings in Gpg4win | Contents |