Thanks, Peter! According to the documentation the trusted certainty need to be in a folder named "trusted-certs" in the home directory. I don't believe I've copied them there manually, so if it hasn't happened automatically that could very well be the issue. I'm at work but once I get home I'll check it out and report back.
Really appreciate the help, Dave Sent from my iPhone > On Feb 21, 2017, at 10:13 AM, Peter Lebbing <pe...@digitalbrains.com> wrote: > >> On 21/02/17 13:20, David Gray wrote: >> I'm no expert, but when I look at the debug info (attached to >> original email), it appears that gpgsm is able to get the crl that my >> cert points to but it may be having trouble parsing it. > > Reading that part made me think it couldn't find the issuer of the CRL: > >> dirmngr[3184.0]: error fetching certificate by subject: Configuration error >> dirmngr[3184.0]: CRL issuer certificate >> {92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found > > When I fetch the CRL we're talking about, OpenSSL tells me about it: > >> Certificate Revocation List (CRL): >> Version 2 (0x1) >> Signature Algorithm: sha256WithRSAEncryption >> Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA >> Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA >> Last Update: Feb 20 16:07:34 2017 GMT >> Next Update: Feb 24 16:07:34 2017 GMT >> CRL extensions: >> X509v3 Authority Key Identifier: >> >> keyid:92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC >> >> X509v3 CRL Number: >> 822 > > The issuer is the certificate that gpgsm knows about: > >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: >> e0:23:cb:15:12:83:53:89:ad:61:6e:7a:54:67:6b:21 >> Signature Algorithm: sha256WithRSAEncryption >> Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, >> CN=AddTrust External CA Root >> Validity >> Not Before: Dec 22 00:00:00 2014 GMT >> Not After : May 30 10:48:38 2020 GMT >> Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, >> CN=COMODO SHA-256 Client Authentication and Secure Email CA >> [...] >> X509v3 extensions: >> X509v3 Authority Key Identifier: >> >> keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A >> >> X509v3 Subject Key Identifier: >> 92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC >> [...] >> SHA1 Fingerprint=59:B8:25:FC:08:86:0B:04:B3:92:CC:25:FE:C4:8C:76:07:53:B6:89 > > I suspect that even though gpgsm knows about it, dirmngr might not, > hence the failing CRL verification. I think you need to feed the > certificate to dirmngr as well. > > Whether this is actually the reason you're having problems, I don't know. > > HTH, > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users