Provided by: dirmngr_2.1.11-6ubuntu2_i386 bug


       dirmngr - CRL and OCSP daemon


       dirmngr [options] command [args]


       Since version 2.1 of GnuPG, dirmngr takes care of accessing the OpenPGP
       keyservers.  As with previous versions it is also used as a server  for
       managing  and downloading certificate revocation lists (CRLs) for X.509
       certificates, downloading X.509 certificates, and providing  access  to
       OCSP  providers.   Dirmngr  is invoked internally by gpg, gpgsm, or via
       the gpg-connect-agent tool.

       For historical reasons it is also possible to start dirmngr in a system
       daemon  mode  which  uses  a different directory layout.  However, this
       mode is deprecated and may eventually be removed.


       Commands are not distinguished from options except for  the  fact  that
       only one command is allowed.

              Print  the program version and licensing information.  Note that
              you cannot abbreviate this command.

       --help, -h
              Print a usage message summarizing the most  useful  command-line
              options.  Not that you cannot abbreviate this command.

              Print  a  list of all available options and commands.  Note that
              you cannot abbreviate this command.

              Run in server mode and wait for  commands  on  the  stdin.   The
              default  mode  is  to  create  a  socket and listen for commands
              there.  This is only used for testing.

              Run in background daemon mode  and  listen  for  commands  on  a
              socket.   Note that this also changes the default home directory
              and enables the internal certificate validation code.  This mode
              is deprecated.

              List  the  contents of the CRL cache on stdout. This is probably
              only useful for debugging purposes.

       --load-crl file
              This command requires a filename as additional argument, and  it
              will make Dirmngr try to import the CRL in file into it's cache.
              Note, that this is only possible if Dirmngr is able to  retrieve
              the  CA's  certificate directly by its own means.  In general it
              is better to use gpgsm's --call-dirmngr loadcrl filename command
              so that gpgsm can help dirmngr.

       --fetch-crl url
              This command requires an URL as additional argument, and it will
              make dirmngr try to retrieve an import the  CRL  from  that  url
              into  it's cache.  This is mainly useful for debugging purposes.
              The dirmngr-client provides  the  same  feature  for  a  running

              This  commands  shuts down an running instance of Dirmngr.  This
              command has currently no effect.

              This command removes all  CRLs  from  Dirmngr's  cache.   Client
              requests will thus trigger reading of fresh CRLs.


       --options file
              Reads  configuration  from file instead of from the default per-
              user configuration file.   The  default  configuration  file  is
              named ‘dirmngr.conf’ and expected in the home directory.

       --homedir dir
              Set  the name of the home directory to dir.  This option is only
              effective when used on the command line.  The default depends on
              the running mode:

              With --daemon given on the commandline
                     the   directory   named   ‘/etc/gnupg2’   is   used   for
                     configuration files and  ‘/var/cache/gnupg2’  for  cached

              Without --daemon given on the commandline
                     the  directory  named  ‘.gnupg’  directly  below the home
                     directory of the user  unless  the  environment  variable
                     GNUPGHOME  has  been  set in which case its value will be
                     used.  All kind of data is stored below this directory.


              Outputs additional information while running.  You can  increase
              the  verbosity  by  giving  several verbose commands to dirmngr,
              such as -vv.

       --log-file file
              Append all logging output to file.   This  is  very  helpful  in
              seeing what the agent actually does.

       --debug-level level
              Select the debug level for investigating problems.  level may be
              a numeric value or by a keyword:

              none   No debugging at all.  A value of less than 1 may be  used
                     instead of the keyword.

              basic  Some  basic  debug messages.  A value between 1 and 2 may
                     be used instead of the keyword.

                     More verbose debug messages.  A value between 3 and 5 may
                     be used instead of the keyword.

              expert Even more detailed messages.  A value between 6 and 8 may
                     be used instead of the keyword.

              guru   All of the debug messages you can get.  A  value  greater
                     than  8 may be used instead of the keyword.  The creation
                     of hash tracing files is only enabled if the  keyword  is

       How  these  messages  are  mapped  to the actual debugging flags is not
       specified and may change with newer releases of this program. They  are
       however carefully selected to best aid in debugging.

       --debug flags
              This  option  is only useful for debugging and the behaviour may
              change at any time without notice.  FLAGS are  bit  encoded  and
              may be given in usual C-Syntax.

              Same as --debug=0xffffffff

       --gnutls-debug level
              Enable debugging of GNUTLS at level.

       --debug-wait n
              When  running in server mode, wait n seconds before entering the
              actual processing loop and print the pid.  This  gives  time  to
              attach a debugger.




       --csh  Format  the info output in daemon mode for use with the standard
              Bourne shell respective the C-shell . The default ist  to  guess
              it  based  on  the environment variable SHELL which is in almost
              all cases sufficient.

              Enabling this option forces loading of  expired  CRLs;  this  is
              only useful for debugging.

              This option switches Dirmngr and thus GnuPG into ``Tor mode'' to
              route  all  network  access  via  Tor  (an  anonymity  network).
              WARNING:  As  of  now  this still leaks the DNS queries; e.g. to
              lookup the hosts in a keyserver pool.   Certain  other  features
              are disabled if this mode is active.

       --keyserver name
              Use  name  as  your  keyserver.   This  is  the  server that gpg
              communicates with to receive keys, send  keys,  and  search  for
              keys.      The    format    of    the    name    is    a    URI:
              `scheme:[//]keyservername[:port]' The  scheme  is  the  type  of
              keyserver: "hkp" for the HTTP (or compatible) keyservers, "ldap"
              for the  LDAP  keyservers,  or  "mailto"  for  the  Graff  email
              keyserver.  Note  that your particular installation of GnuPG may
              have other keyserver types available as well. Keyserver  schemes
              are   case-insensitive.   After  the  keyserver  name,  optional
              keyserver configuration options may be provided.  These are  the
              same  as  the --keyserver-options of gpg, but apply only to this
              particular keyserver.

              Most  keyservers  synchronize  with  each  other,  so  there  is
              generally  no  need  to  send  keys to more than one server. The
              keyserver hkp:// uses round robin DNS  to  give  a
              different keyserver each time you use it.

              If  exactly  two keyservers are configured and only one is a Tor
              hidden service (.onion), Dirmngr selects the  keyserver  to  use
              depending  on  whether Tor is locally running or not.  The check
              for a running Tor is done for each new connection.

       --nameserver ipaddr
              In ``Tor mode'' Dirmngr  uses  a  public  resolver  via  Tor  to
              resolve  DNS  names.   If  the default public resolver, which is
    , shall not be used a different one can  be  given  using
              this  option.   Note  that  a numerical IP address must be given
              (IPv6 or IPv4) and that no error checking is  done  for  ipaddr.
              DNS queries in Tor mode do only work if GnuPG as been build with
              ADNS support.

              Entirely disables the use of LDAP.

              Entirely disables the use of HTTP.

              When looking for the  location  of  a  CRL,  the  to  be  tested
              certificate  usually  contains  so called CRL Distribution Point
              (DP) entries which are URLs describing the  way  to  access  the
              CRL.   The  first  found DP entry is used.  With this option all
              entries using the HTTP scheme are ignored  when  looking  for  a
              suitable DP.

              This  is  similar  to --ignore-http-dp but ignores entries using
              the LDAP scheme.  Both options  may  be  combined  resulting  in
              ignoring DPs entirely.

              Ignore  all  OCSP URLs contained in the certificate.  The effect
              is to force the use of the default responder.

              If the environment variable ‘http_proxy’ has been set,  use  its
              value to access HTTP servers.

       --http-proxy host[:port]
              Use  host  and  port  to  access  HTTP servers.  The use of this
              option   overrides   the   environment   variable   ‘http_proxy’
              regardless whether --honor-http-proxy has been set.

       --ldap-proxy host[:port]
              Use  host  and  port  to  connect  to  LDAP servers.  If port is
              ommitted, port 389 (standard LDAP port) is used.  This overrides
              any  specified host and port part in a LDAP URL and will also be
              used if host and port have been ommitted from the URL.

              Never use anything else but the LDAP "proxy" as configured  with
              --ldap-proxy.   Usually  dirmngr  tries  to use other configured
              LDAP server if the connection using the "proxy" failed.

       --ldapserverlist-file file
              Read  the  list  of  LDAP  servers  to  consult  for  CRLs   and
              certificates  from  file  instead  of  the default per-user ldap
              server   list   file.   The   default   value   for   file    is
              ‘dirmngr_ldapservers.conf’ or ‘ldapservers.conf’ when running in
              --daemon mode.

              This server list file contains one LDAP server per line  in  the


              Lines starting with a  '#' are comments.

              Note  that as usual all strings entered are expected to be UTF-8
              encoded.  Obviously this will lead to problems if  the  password
              has  orginally  been  encoded  as  Latin-1.   There  is no other
              solution here than to put such a password in the binary encoding
              into   the   file  (i.e.  non-ascii  characters  won't  show  up
              readable). ([The gpgconf tool might be helpful for frontends  as
              it  allows to edit this configuration file using percent escaped

       --ldaptimeout secs
              Specify the number of seconds to wait for an LDAP  query  before
              timing  out. The default is currently 100 seconds.  0 will never

              This options makes dirmngr add any  servers  it  discovers  when
              validating  certificates  against  CRLs  to the internal list of
              servers to consult for certificates and CRLs.

              This options is useful when trying  to  validate  a  certificate
              that  has  a CRL distribution point that points to a server that
              is not already listed in the ldapserverlist. Dirmngr will always
              go  to  this server and try to download the CRL, but chances are
              high that the certificate used to sign the CRL is located on the
              same  server. So if dirmngr doesn't add that new server to list,
              it will often not be able to verify the  signature  of  the  CRL
              unless the --add-servers option is used.

              Note: The current version of dirmngr has this option disabled by

              This option enables OCSP support if requested by the client.

              OCSP requests are rejected by default because they  may  violate
              the privacy of the user; for example it is possible to track the
              time when a user is reading a mail.

       --ocsp-responder url
              Use url as the default OCSP Responder if  the  certificate  does
              not contain information about an assigned responder.  Note, that
              --ocsp-signer must also be set to a valid certificate.

       --ocsp-signer fpr|file
              Use the certificate  with  the  fingerprint  fpr  to  check  the
              responses   of  the  default  OCSP  Responder.   Alternativly  a
              filename can be given in which case the respinse is expected  to
              be  signed  by  one  of the certificates described in that file.
              Any argument which contains a slash, dot or tilde is  considered
              a  filename.   Usual  filename expansion takes place: A tilde at
              the start followed by a slash is  replaced  by  the  content  of
              ‘HOME’,  no  slash  at start describes a relative filename which
              will be searched at the home directory.  To make sure  that  the
              file  is searched in the home directory, either prepend the name
              with "./" or use a name which contains a dot.

              If a response has been signed  by  a  certificate  described  by
              these  fingerprints  no  further check upon the validity of this
              certificate is done.

              The format of the FILE is a list of SHA-1 fingerprint,  one  per
              line  with  optional  colons between the bytes.  Empty lines and
              lines prefix with a hash mark are ignored.

       --ocsp-max-clock-skew n
              The number of seconds a skew between the OCSP responder and them
              local clock is accepted.  Default is 600 (20 minutes).

       --ocsp-max-period n
              Seconds a response is at maximum considered valid after the time
              given in the thisUpdate field.  Default is 7776000 (90 days).

       --ocsp-current-period n
              The number of seconds an OCSP response is considered valid after
              the  time  given  in the NEXT_UPDATE datum.  Default is 10800 (3

       --max-replies n
              Do not return more that n items in one query.   The  default  is

       --ignore-cert-extension oid
              Add  oid to the list of ignored certificate extensions.  The oid
              is expected to be in dotted decimal form, like   This
              option may be used more than once.  Critical flagged certificate
              extensions matching one of the OIDs in the list are  treated  as
              if  they  are actually handled and thus the certificate won't be
              rejected due to an unknown critical extension.  Use this  option
              with care because extensions are usually flagged as critical for
              a reason.

       --hkp-cacert file
              Use the root certificates in file for verification  of  the  TLS
              certificates used with hkps (keyserver access over TLS).  If the
              file is in PEM format a suffix of .pem  is  expected  for  file.
              This  option  may  be  given  multiple  times  to  add more root
              certificates.  Tilde expansion is supported.


       Here is an example on how to show dirmngr's internal table  of  OpenPGP
       keyserver addresses.  The output is intended for debugging purposes and
       not part of a defined API.

           gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye

       To inhibit the use of a particular host you have noticed in one of  the
       keyserver pools, you may use

          gpg-connect-agent --dirmngr 'keyserver --dead' /bye

       The description of the keyserver command can be printed using

          gpg-connect-agent --dirmngr 'help keyserver' /bye


       Dirmngr makes use of several directories when running in daemon mode:


              The  first  is the standard home directory for all configuration
              files.   In  the  deprecated  system  daemon  mode  the   second
              directory is used instead.

              This  directory  should  be filled with certificates of Root CAs
              you are trusting in checking the CRLs and signing OCSP Reponses.

              Usually these  are  the  same  certificates  you  use  with  the
              applications making use of dirmngr.  It is expected that each of
              these  certificate  files  contain  exactly  one   DER   encoded
              certificate in a file with the suffix ‘.crt’ or ‘.der’.  dirmngr
              reads those certificates on startup and  when  given  a  SIGHUP.
              Certificates  which  are not readable or do not make up a proper
              X.509 certificate are ignored; see the log file for details.

              Applications  using  dirmngr  (e.g.  gpgsm)  can  request  these
              certificates  to  complete a trust chain in the same way as with
              the extra-certs directory (see below).

              Note that for OCSP responses the certificate specified using the
              option  --ocsp-signer  is  always  considered valid to sign OCSP

              This  directory  may  contain  extra  certificates   which   are
              preloaded  into the interal cache on startup. Applications using
              dirmngr (e.g. gpgsm) can request cached certificates to complete
              a  trust  chain.   This is convenient in cases you have a couple
              intermediate CA certificates or certificates  ususally  used  to
              sign  OCSP  reponses.  These certificates are first tried before
              going out to the net to look for them.  These certificates  must
              also be DER encoded and suffixed with ‘.crt’ or ‘.der’.

              This  directory  is  only  used  in the deprecated system daemon
              mode.  It keeps the socket file for accessing dirmngr  services.
              The name of the socket file will be ‘S.dirmngr’.  Make sure that
              this directory has the proper permissions to let dirmngr  create
              the  socket  file  and that eligible users may read and write to
              that socket.


              The first directory is used to store cached CRLs.  The  ‘crls.d’
              part  will  be  created by dirmngr if it does not exists but you
              need to make sure that the upper directory exists.   The  second
              directory is used instead in the deprecated systems daemon mode.


       A  running  dirmngr  may  be controlled by signals, i.e. using the kill
       command to send a signal to the process.

       Here is a list of supported signals:

       SIGHUP This signals flushes all internally cached CRLs as well  as  any
              cached    certificates.    Then   the   certificate   cache   is
              reinitialized as on  startup.   Options  are  re-read  from  the
              configuration file.  Instead of sending this signal it is better
              to use
         gpgconf --reload dirmngr

              Shuts down the process but waits until all current requests  are
              fulfilled.   If  the process has received 3 of these signals and
              requests are still pending, a shutdown is forced.  You may  also
         gpgconf --kill dirmngr
       instead of this signal

       SIGINT Shuts down the process immediately.

              This prints some caching statistics to the log file.


       gpgsm(1), dirmngr-client(1)

       The full documentation for this tool is maintained as a Texinfo manual.
       If GnuPG and the info program are properly installed at your site,  the

         info gnupg

       should  give  you  access  to  the  complete  manual  including  a menu
       structure and an index.