HOME 15 Certificate details Top 17 Encrypting file attachments16 The certificate server Contents German

16 The certificate server

Section 8.2 already provided a lot of information on how to use a certificate server to publish your public (OpenPGP or X.509) certificate. This section will take a closer look at certificate servers, and will show you how to use them with Kleopatra.

Key servers can be used by all programs that support the standards OpenPGP or X.509. Kleopatra supports both types, hence both OpenPGP as well as X.509 certificate servers.

OpenPGP certificate servers
(also called "key server") are organized on a decentralised basis and synchronize each other on a global basis. There are no current statistics about their number of how many OpenPGP certificates they contain. This shared network of OpenPGP certificate servers provides better availability and prevents individual system administrators from deleting certificates which would make secure communication impossible ("Denial of Service" attack).
X.509 certificate servers
are generally made available by the certificate authorities via LDAP and are sometimes also described as directory services for X.509 certificates.

16.1 Key server configuration

Open the configuration dialog in Kleopatra:
Settings -> Configure Kleopatra...

Now set up a new certificate server under the group Certificate servers by clicking on the New button. Select between OpenPGP or X.509.

In OpenPGP, a default OpenPGP certificate server with the server address hkp://keys.gnupg.net (Port: 11371, Protokoll: hkp) will be added to the list. You can use this server without making any changes - or you can use one of the suggested OpenPGP server addresses on the next page.

For X.509 you will see the following default settings for an X.509 certificate server: (Protokoll: ldap, Servername: server, Server-Port: 389). Complete the information on the server name and basic DN of your X.509 certificate server and check the server port.

If your certificate server requires a user name and password, activate the option Requires user authentication and enter the required information.

The screenshot below shows a configured OpenPGP certificate server:

Confirm the configuration by pressing [OK]. You have successfully configured your certificate server.

To ensure that you have correctly configured the certificate server, it is helpful to start e.g. a certificate search on the server (for instructions, see Section 16.2).

Proxy setting: If you use a proxy in your network, you should add the parameter http-proxy=<proxydomain> to the certificate server address in the Server name column. The full server name could therefore look as follows:
keys.gnupg.net http-proxy=proxy.hq
You can also review and if necessary correct the certificate server configurations in the file: %APPDATA%\gnupg\gpg.conf
Explanations regarding the system-wide configuration of X.509 key servers can be found in Section 22.5.

OpenPGP certificate server addresses

We recommend that you only use up-to-date OpenPGP certificate servers, since only they can handle the newer OpenPGP characteristics.

Here is a selection of well-functioning certificate servers:

  • hkp://blackhole.pca.dfn.de
  • hkp://pks.gpg.cz
  • hkp://pgp.cns.ualberta.ca
  • hkp://minsky.surfnet.nl
  • hkp://keyserver.ubuntu.com
  • hkp://keyserver.pramberger.at
  • http://keyserver.pramberger.at
  • http://gpg-keyserver.de

If you have problems with your firewall, it is best to try certificate servers whose URL begins with: http://

The certificate servers under the addresses

  • hkp://keys.gnupg.net (Kleopatra pre-selection, see screenshot on previous page)
  • hkp://subkeys.pgp.net

are a collection point for an entire network of these servers; a concrete server will be selected randomly.

Attention: Do not use ldap://keyserver.pgp.com as a certificate server, since it does synchronize with other servers (Status: May 2010).

16.2 Search and import certificates from certificate servers

Once you have configured at least one certificate server, you can now look for and import certificates.

To do this, in Kleopatra click on File -> Search for certificates on server....

You will see a search dialog with an input field into which you can enter the name of the certificate holder - or ideally - the e-mail address of his certificate.

To view the details of a selected certificate, click on the button [Details...].

If you wish to add one of the certificates you have found into your local certificate collection, select the certificate from a list of search results and click on [Import].

Kleopatra will subsequently display a dialog with the import results. Confirm with [OK].

If the import was successful, you will see the selected certificate in Kleopatra's certificate administration.

16.3 Export certificates to OpenPGP certificate servers

If you have configured an OpenPGP certificate server as described in Section 16.1, a click of your mouse will send your public OpenPGP certificate around the world.

Select your OpenPGP certificate in Kleopatra and then click on the menu item File -> Export certificate to server....

You only need to send your certificate to any of the available OpenPGP certificate servers, since almost all of these will synchronize on a global level. It may take one to two days until your OpenPGP certificate is actually available worldwide, but then you will have a "global" certificate.

If you export your certificate without first having configured an OpenPGP certificate server, Kleopatra will suggest the default server hkp://keys.gnupg.net.

© 31. August 2010, v3.0.0-beta1 (last minor changes from 21. September 2010)
The Gpg4win Compendium is filed under the GNU Free Documentation License v1.2.


HOME 15 Certificate details Top 17 Encrypting file attachments16 The certificate server Contents German