Changes the Owner Trust of the selected OpenPGP certificate.
This function is only available when exactly one OpenPGP certificate is selected.
Marks this (S/MIME) root certificate as trusted.
In some ways, this is the equivalent of → for S/MIME root certificates. You can, however, only choose between—in OpenPGP terms—“ultimate” trust and “never trust”.
The backend (by way of GpgAgent) will ask at root certificate import time whether to trust the imported root certificate. However, that function must be explicitly enabled in the backend configuration (
gpg-agent.conf, or either → → or → under → ).
Enabling that functionality in the backend can lead to popups from PinEntry at inopportune times (e.g. when verifying signatures), and can thus block unattended email processing. For that reason, and because it is desirable to be able to distrust a trusted root certificate again, Kleopatra allows manual setting of trust.
Due to lack of backend support for this function, Kleopatra needs to work directly on the GpgSM trust database (
trustlist.txt). When using this function, make sure no other crypto operations are in progress that could race with Kleopatra for modifications to that database.
This function is only available when exactly one S/MIME root certificate is selected, and that certificate is not yet trusted.
Use → to undo this function.
Marks this (S/MIME) root certificate as not trusted.
This function is only available when exactly one S/MIME root certificate is selected, and that certificate is currently trusted.
Used to undo → . See there for details.
Allows you to certify another OpenPGP certificate.
This function is only available if exactly one OpenPGP certificate is selected.
Allows to change the expiry date of your OpenPGP certificate.
Use this function to extend the lifetime of your OpenPGP certificates as an alternative to either creating a new one, or using unlimited lifetime (“never expires”).
This function is only available if exactly one OpenPGP certificate is selected, and the secret key is available for that certificate.
Allows to change the passphrase of your secret key.
This function is only available if exactly one certificate is selected, and the secret key is available for that certificate. It requires a very recent backend, since we changed the implementation from direct calling of GPG and GpgSM to a GpgME-based one.
For security reasons, both the old as well as the new passphrase is asked for by PinEntry, a separate process. Depending on the platform you are running on and on the quality of the PinEntry implementation on that platform, it may happen that the PinEntry window comes up in the background. So, if you select this function and nothing happens, check the operating system's task bar in case a PinEntry window is open in the background.
Allows to add a new User-ID to your OpenPGP certificate.
Use this to add new identities to an existing certificate as an alternative to creating a new key pair. An OpenPGP user-ID has the following form:
In the dialog that comes up when you select this function, Kleopatra will ask you for each of the three parameters (
These parameters are subject to the same Administrator restrictions as in new certificates. See the section called “Creating New Key Pairs” and the section called “Customization of the Certificate-Creation Wizard” for details.
This function is only available when exactly one OpenPGP certificate is selected, and the secret key is available for that certificate.
- → (Del)
Deletes the selected certificates from the local keyring.
Use this function to remove unused keys from your local keybox. However, since certificates are typically attached to signed emails, verifying an email might result in the key just removed to pop back into the local keybox. So it is probably best to avoid using this function as much as possible. When you are lost, use the search bar or the → function to regain control over the lot of certificates.
There is one exception to the above: When you delete one of your own certificates, you delete the secret key along with it. This implies that you will not be able to read past communication encrypted to you using this certificate, unless you have a backup somewhere.
Kleopatra will warn you when you attempt to delete a secret key.
Due to the hierarchical nature of S/MIME certificates, if you delete an S/MIME issuer certificate (CA certificate), all subjects are deleted, too.
Naturally, this function is only available if you selected at least one certificate.
Shows all information that GpgSM has about the selected (S/MIME) certificate.
See the discussion about
--dump-keyin the GpgSM manual for details about the output.
 This is the same as a filesystem: When you delete a folder, you delete all files and folders in it, too.