German beA (lawyer) certificate problems (Okular and Kleopatra) - User-ID invalid

Hi there,

Lawyers in Germany are given QES certificates by an organisation that lists is policies and practices and also root certificates here: Veröffentlichungen | Zertifizierungsstelle

I want to use the QES certificate provided by the organisation.

To do so, I imported my certificate into Kleopatra. I also imported the root certificate by the organisation.

In Kleopatra, my certificate shows me for the field User-ID “invalid”. In the certificate details I see:

C=DE,O=Bundesnotarkammer,OU=Zertifizierungsstelle,CN=beA Token CA 2022

For the root certificate I see:

Trust level “Ultimate” and User-ID “certified”.

However, when I go to my certificate and check the details and issuer I get “The issuer certificate could not be found locally.”

If I try to sign a document using Okular, I get “Could not sign. Invalid certificate password or could not write to …” (but I am trying to save it to a location I normally can save to).

I am using:

Version (Gpg4win-4.3.1)

GnuPG 2.4.5
Libgcrypt 1.10.3

Version 23.11.70

Microsoft Windows 10 Pro
Version 10.0.19045 Build 19045

Please let me know what information I can provide to troubleshoot.


it would be helpful if you could provide your public certificate and a signed document (created with other software) so that we can check the verification code path. If you do not want to post it to this mailing listI think there are also direct messages here or simply write to wk at gnupg dot org.


Thanks, I sent you an email with the requested documents.

Das Herausgeberzertifikat kann man sicher in Kleopatra nachinstallieren, aber schwierig wird:

Problem wird sein, daß die Bundesnotarkammer nur noch Fernsignaturkarten herausgibt. Und dafür muß eine Signatursoftware erstmal geeignet sein…

Nee, tatsächlich gibt es auch Software-Zertifikate. Es klappt trotzdem nicht.

Falls nichts angekommen ist, bitte Bescheid geben.

Es ist angekommen, habe ich gehört. Aber Werner hat gerade viel zu tun …