Certificates Menu

CertificatesChange Owner Trust...

Changes the Owner Trust of the selected OpenPGP certificate.

This function is only available when exactly one OpenPGP certificate is selected.

CertificatesTrust Root Certificate

Marks this (S/MIME) root certificate as trusted.

In some ways, this is the equivalent of CertificatesChange Owner Trust... for S/MIME root certificates. You can, however, only choose between—in OpenPGP terms—ultimate trust and never trust.

Note

The backend (by way of GpgAgent) will ask at root certificate import time whether to trust the imported root certificate. However, that function must be explicitly enabled in the backend configuration (allow-mark-trusted in gpg-agent.conf, or either GnuPG SystemGPG AgentAllow clients to mark keys as "trusted" or S/MIME ValidationAllow to mark root certificates as trusted under Chapter 5, Configuring Kleopatra).

Enabling that functionality in the backend can lead to popups from PinEntry at inopportune times (e.g. when verifying signatures), and can thus block unattended email processing. For that reason, and because it is desirable to be able to distrust a trusted root certificate again, Kleopatra allows manual setting of trust.

Warning

Due to lack of backend support for this function, Kleopatra needs to work directly on the GpgSM trust database (trustlist.txt). When using this function, make sure no other crypto operations are in progress that could race with Kleopatra for modifications to that database.

This function is only available when exactly one S/MIME root certificate is selected, and that certificate is not yet trusted.

Use CertificatesDistrust Root Certificate to undo this function.

CertificatesDistrust Root Certificate

Marks this (S/MIME) root certificate as not trusted.

This function is only available when exactly one S/MIME root certificate is selected, and that certificate is currently trusted.

Used to undo CertificatesTrust Root Certificate . See there for details.

CertificatesCertify Certificate...

Allows you to certify another OpenPGP certificate.

This function is only available if exactly one OpenPGP certificate is selected.

CertificatesChange Expiry Date...

Allows to change the expiry date of your OpenPGP certificate.

Use this function to extend the lifetime of your OpenPGP certificates as an alternative to either creating a new one, or using unlimited lifetime (never expires).

This function is only available if exactly one OpenPGP certificate is selected, and the secret key is available for that certificate.

CertificatesChange Passphrase...

Allows to change the passphrase of your secret key.

This function is only available if exactly one certificate is selected, and the secret key is available for that certificate. It requires a very recent backend, since we changed the implementation from direct calling of GPG and GpgSM to a GpgME-based one.

Note

For security reasons, both the old as well as the new passphrase is asked for by PinEntry, a separate process. Depending on the platform you are running on and on the quality of the PinEntry implementation on that platform, it may happen that the PinEntry window comes up in the background. So, if you select this function and nothing happens, check the operating system's task bar in case a PinEntry window is open in the background.

CertificatesAdd User-ID...

Allows to add a new User-ID to your OpenPGP certificate.

Use this to add new identities to an existing certificate as an alternative to creating a new key pair. An OpenPGP user-ID has the following form:

Real Name [(Comment)] <Email>

In the dialog that comes up when you select this function, Kleopatra will ask you for each of the three parameters (Real Name, Comment and Email) separately, and display the result in a preview.

Note

These parameters are subject to the same Administrator restrictions as in new certificates. See the section called “Creating New Key Pairs” and the section called “Customization of the Certificate-Creation Wizard” for details.

This function is only available when exactly one OpenPGP certificate is selected, and the secret key is available for that certificate.

CertificatesDelete (Del)

Deletes the selected certificates from the local keyring.

Use this function to remove unused keys from your local keybox. However, since certificates are typically attached to signed emails, verifying an email might result in the key just removed to pop back into the local keybox. So it is probably best to avoid using this function as much as possible. When you are lost, use the search bar or the ViewHierarchical Certificate List function to regain control over the lot of certificates.

Warning

There is one exception to the above: When you delete one of your own certificates, you delete the secret key along with it. This implies that you will not be able to read past communication encrypted to you using this certificate, unless you have a backup somewhere.

Kleopatra will warn you when you attempt to delete a secret key.

Due to the hierarchical nature of S/MIME certificates, if you delete an S/MIME issuer certificate (CA certificate), all subjects are deleted, too.[1]

Naturally, this function is only available if you selected at least one certificate.

CertificatesDump Certificate

Shows all information that GpgSM has about the selected (S/MIME) certificate.

See the discussion about --dump-key key in the GpgSM manual for details about the output.



[1] This is the same as a filesystem: When you delete a folder, you delete all files and folders in it, too.