X509 certificates and Gpg4win

I’m using Gpg4win (at latest 2.2.0) under windows7 (64bit) and always using gpg keys. Some recent thread about X509 and signing OpenOffice documents made me think about this branch of operations. For a first step, I decided to get a CAcert X509 certificate - which works ok with their website logins but it doesn’t carry my name, only email because I don’t yet have the number of assurance points - this is fine and will work out with time.
I decided to import the CAcert root certificate to Gpg4win using Kleopatra. Maybe this was an error ? Since doing it, I now have strange behaviour from Kleopatra which has never seemed very robust under Windows. Now, instead of taking a couple of minutes to launch, it is even slower and when it does open a window, Kleopatra displays no keys / certificates at all. When I try to close the Kleopatra window (Kleopatra normally goes back to the system tray), I get a message saying 'there are still some tasks running". Windows Task Manager shows only 2 processes that I can identify with Gpg4win and these are Kleopatra.exe *32, gpgsm.exe *32 (the X509/CMS tool of GnuPG) and these don’t appear to be doing anything. (cpu activity 0 - 1%).
When I open GPA, all my certificates/keys are there, including the CAcert root certificate - but after a little while, GPA stops responding so I kill it and look again in Task Manager where I find multiple instances of the gpgsm.exe process running. These gradually decay of their own accord until only one is left. Looking at Kleopatra, there are still no keys displayed. I kill the last instance of the gpgsm.exe process and Kleopatra immediately displays all my keys/certificates including the CAcert root.
I restart GPA with no difficulty and it also displays all keys and CAcert root certificate.
So, should I not have imported the CAcert root certificate ? Is it not needed ? Have I missed some other essential feature of X509 ? It seems that gpgsm.exe is unable to complete some task but I don’t understand which.

I’m gradually finding answers to my questions.

First, I was right to import the root certificate; it forms the head of a hierarchy of displayed X509 certificates when you import others.

gpgsm.exe was unable to complete its task and I believe that was because it could not find a CRL (certificate revocation list) on my machine. I finally managed to import the CAcert CRL using FireFox. This was not immediately straightforward because I was uncertain of what to ask FireFox to find. I couldn’t find any mention of the CRL on the CAcert website but careful examination of the details of the CAcert root certificate gave me the lead I needed.

https://www.cacert.org/revoke.crl” was the string Firefox was looking for in its import CRL dialog box.

Once the CRL imported ok, gpgsm.exe completes its task and Kleopatra displays the X509 certificates.

I still have unresolved issues. Kleopatra is still pretty slow : of the order of 5 minutes before any (gpg) certificates are displayed.

The details of CAcert root certificate as viewed in Kleopatra show in the overview - ‘Trusted issuer ? : No’ and I cannot get this to change. When I select the CAcert root certificate, the Certificates menu has only one option available and that is ‘Trust Root Certificate’ but clicking on that just seems to launch a redisplay action and does not have the desired effect.

I believe I have correctly complied with the instructions in Gpg4win’s document ‘HowTo-SMIME.en.txt’.

Next chapter in the story of trying to get satisfactory working of Kleopatra with X509 certificates.

I now have three X509 certs stocked in Kleopatra as well as the CA root certificate. Kleopatra now takes around 20 minutes to complete its display of certs on start up (nothing, not even Gpg certs displayed for around 20 minutes). This has to be due to look up delays on a server somewhere but I can’t find what to change in the setup to speed it up. I believe I have done everything suggested in the Gpg4win Howto S/MIME document.

The CA root certificate is still shown as ‘not trusted’. In the Kleopatra gui, under ‘Certificates,’ when I select the CAroot cert entry, the only option available (other than delete) is ‘Trust Root Certificate’ and I’ve clicked a 100 times over the past weeks but nothing seems to happen - unless possibly the creation of a trustlist.txt file with a single line entry showing the fingerprint of the root certificate in the ‘user/AppData/roaming/gnupg/’ directory.

Curiously, this location is not the one specified for trustlist.txt in the instructions in the HOWTO S/MIME document.

I’m coming to the conclusion, I think, that Gpg4win and Kleopatra are not best suited to X509 work. I have imported directly into FireFox with no trouble. I have exported a backup from FireFox and then imported it into Thunderbird with no difficulty. Also into the Windows7 repository for certificates for use in OpenOffice - very easy.

Hello Philip,
I fully agree to all of Your recognitions and conclusions. I nearly went through the same steps trying to solve the same problems and misbehaviours on an XP-Prof-system with thunderbird and seamonkey. I’m in lack of any further idea, so probably give up for he moment, use it as it is and wait for the upcoming versions hopefully not being betas. But let me state: It is very useful together with enigmail and the basic features work: you canreceive and send signed and crypted mails including attachements with the self-generated pgp-keys.


Hi Andreas : it was good to see that someone else has trouble with X509 in Gpg4win. I’ve tried all I can and have put the problem aside for the moment.

I’ve stopped asking Kleopatra to check CRLs for SMIME because it stopped any keys being displayed (even gpg keys) for at least 20 minutes after start up. I cannot get Gpg4win to ‘trust’ the CAcert root certificate despite my having fulfilled all conditions I can find in Gpg4win documentation (at least I think I have done everything). If the root certificate is not trusted, then I can’t use my CAcert key to encrypt anything.

Until I learn where I’ve gone wrong, I’m only using gpg keys and they work just fine.

Cacert does “abuse” the CRL feature a little bit, there were other discussion about this.
(either in the forum or the mailinglist) It seems we need a proper problem report about it and also need to inform the cacert people.