Next: Parse a mail message into an annotated format, Previous: Communicate with a running agent, Up: Helper Tools [Contents][Index]
The dirmngr-client is a simple tool to contact a running
dirmngr and test whether a certificate has been revoked — either by
being listed in the corresponding CRL or by running the OCSP protocol.
If no dirmngr is running, a new instances will be started but this is
in general not a good idea due to the huge performance overhead.
The usual way to run this tool is either:
dirmngr-client acert
or
dirmngr-client <acert
Where acert is one DER encoded (binary) X.509 certificates to be tested. The return value of this command is
0The certificate under question is valid; i.e., there is a valid CRL available and it is not listed there or the OCSP request returned that that certificate is valid.
1The certificate has been revoked
2 (and other values)There was a problem checking the revocation state of the certificate. A message to stderr has given more detailed information. Most likely this is due to a missing or expired CRL or due to a network problem.
dirmngr-client may be called with the following options:
--version ¶Print the program version and licensing information. Note that you cannot abbreviate this command.
--help, -h ¶Print a usage message summarizing the most useful command-line options. Note that you cannot abbreviate this command.
--quiet, -q ¶Make the output extra brief by suppressing any informational messages.
-v--verbose ¶Outputs additional information while running. You can increase the verbosity by giving several verbose commands to DIRMNGR, such as ‘-vv’.
--pem ¶Assume that the given certificate is in PEM (armored) format.
--ocsp ¶Do the check using the OCSP protocol and ignore any CRLs.
--force-default-responder ¶When checking using the OCSP protocol, force the use of the default OCSP responder. That is not to use the Responder as given by the certificate.
--ping ¶Check whether the dirmngr daemon is up and running.
--cache-cert ¶Put the given certificate into the cache of a running dirmngr. This is mainly useful for debugging.
--validate ¶Validate the given certificate using dirmngr’s internal validation code. This is mainly useful for debugging.
--load-crl ¶This command expects a list of filenames with DER encoded CRL files. With the option --url URLs are expected in place of filenames and they are loaded directly from the given location. All CRLs will be validated and then loaded into dirmngr’s cache.
--lookup ¶Take the remaining arguments and run a lookup command on each of them. The results are Base-64 encoded outputs (without header lines). This may be used to retrieve certificates from a server. However the output format is not very well suited if more than one certificate is returned.
--url ¶-uModify the lookup and load-crl commands to take an URL.
--local ¶-lLet the lookup command only search the local cache.
--squid-mode ¶Run DIRMNGR-CLIENT in a mode suitable as a helper program for Squid’s external_acl_type option.
Next: Parse a mail message into an annotated format, Previous: Communicate with a running agent, Up: Helper Tools [Contents][Index]