NAME
dirmngr-client - CRL and OCSP daemon
SYNOPSIS
dirmngr-client [options] [certfile|pattern]
DESCRIPTION
The dirmngr-client is a simple tool to contact a running dirmngr and test whether a certificate has been revoked --- either by being listed in the corresponding CRL or by running the OCSP protocol. If no dirmngr is running, a new instances will be started but this is in general not a good idea due to the huge performance overhead.
The usual way to run this tool is either:
dirmngr-client acert
or
dirmngr-client <acert
Where acert is one DER encoded (binary) X.509 certificates to be tested.
RETURN VALUE
dirmngr-client returns these values:
| 0 | The certificate under question is valid; i.e. there is a valid CRL
available and it is not listed tehre or teh OCSP request returned that
that certificate is valid.
|
| 1 | The certificate has been revoked
|
| 2 (and other values) | |
| There was a problem checking the revocation state of the certificate.
A message to stderr has given more detailed information. Most likely
this is due to a missing or expired CRL or due to a network problem.
| |
OPTIONS
dirmngr-client may be called with the following options:
| --version | |
| Print the program version and licensing information. Note that you cannot
abbreviate this command.
| |
| --help, -h | |
| Print a usage message summarizing the most useful command-line options.
Note that you cannot abbreviate this command.
| |
| --quiet, -q | |
| Make the output extra brief by suppressing any informational messages.
| |
|
-v
--verbose | Outputs additional information while running.
You can increase the verbosity by giving several
verbose commands to dirmngr, such as ’-vv’.
|
| --pem | Assume that the given certificate is in PEM (armored) format.
|
| --ocsp | |
| Do the check using the OCSP protocol and ignore any CRLs.
| |
| --force-default-responder | |
| When checking using the OCSP protocl, force the use of the default OCSP
responder. That is not to use the Reponder as given by the certificate.
| |
| --ping | |
| Check whether the dirmngr daemon is up and running.
| |
| --cache-cert | |
| Put the given certificate into the cache of a running dirmngr. This is
mainly useful for debugging.
| |
| --validate | |
| Validate the given certificate using dirmngr’s internal validation code.
This is mainly useful for debugging.
| |
| --load-crl | |
| This command expects a list of filenames with DER encoded CRL files.
All CRL will be validated and then loaded into dirmngr’s cache.
| |
| --lookup | |
| Take the remaining arguments and run a lookup command on each of them.
The results are Base-64 encoded outputs (without header lines). This
may be used to retrieve certificates from a server. However the output
format is not very well suited if more than one certificate is returned.
| |
|
--url
-u | Modify the lookup command to take an URL and not a pattern.
|
|
--local
-l | |
| Let the lookup command only search the local cache.
| |
| --squid-mode | |
| Run dirmngr-client in a mode suitable as a helper program for
Squid’s external_acl_type option.
| |
SEE ALSO
dirmngr(1), gpgsm(1)
The full documentation for this tool is maintained as a Texinfo manual. If dirmngr and the info program are properly installed at your site, the command
info dirmngr
should give you access to the complete manual including a menu structure and an index.
