Chapter 6. Administrator's Guide

This Administrator's Guide describes ways to customize Kleopatra that are not accessible via the GUI, but only via config files.

It is assumed that the reader is familiar with the technology used for KDE application configuration, including layout, file system location and cascading of KDE config files, as well as the KIOSK framework.

Customization of the Certificate-Creation Wizard

Customizing the DN fields

Kleopatra allows you to customize the fields that the user is allowed to enter in order to create their certificate.

Create a group called CertificateCreationWizard in the system-wide kleopatrarc. If you want a custom order of attributes or if you only want certain items to appear, create a key called DNAttributeOrder. The argument is one or more of CN,SN,GN,L,T,OU,O,PC,C,SP,DC,BC,EMAIL If you want to initialize fields with a certain value, write something like Attribute=value. If you want the attribute to be treated as a required one, append an exclamation mark (e.g. CN!,L,OU,O!,C!,EMAIL!, which happens to be the default configuration).

Using the KIOSK mode modifier $e allows to retrieve the values from environment variables or from an evaluated script or binary. If you want to disallow editing of the respective field in addition, use the modifier $i. If you want to disallow the use Insert My Address button, set ShowSetWhoAmI to false.


Due to the nature of the KDE KIOSK framework, using the immutable flag ($i) makes it impossible for the user to override the flag. This is intended behavior. $i and $e can be used with all other config keys in KDE applications as well.

The following example outlines possible customizations:

;Disallow to copy personal data from the addressbook, do not allow local override

;sets the user name to $USER

;sets the company name to "My Company", disallows editing
O[$i]=My Company

;sets the department name to a value returned by a script

; sets country to DE, but allows for changes by the user

Restricting the Types of Keys a User is Allowed to Create

Kleopatra also allows to restrict which type of certificates a user is allowed to create. Note, however, that an easy way around these restrictions is to just create one on the command line.

Public Key Algorithms

To restrict the public key algorithm to use, add the config key PGPKeyType (and CMSKeyType, but only RSA is supported for CMS anyway) to the CertificateCreationWizard section of kleopatrarc.

The allowed values are RSA for RSA keys, DAS for DSA (sign-only) keys, and DSA+ELG for a DSA (sign-only) key with an Elgamal subkey for encryption.

The default is read from GpgConf or else RSA if GpgConf doesn't provide a default.

Public Key Size

To restrict the available keys sizes for a public algorithm, add the config key <ALG>KeySizes (where ALG may be RSA, DSA or ELG) to the CertificateCreationWizard section of kleopatrarc, containing a comma-separated list of keysizes (in bits). A default may be indicated by prefixing the keysize with a hyphen (-).

            RSAKeySizes = 1536,-2048,3072

The above would restrict allowed RSA key sizes to 1536, 2048 and 3072, with 2048 the default.

In addition to the sizes themselves, you may also specify labels for each of the sizes. Simply set the config key ALGKeySizeLabels to a comma-separated list of labels.

                RSAKeySizeLabels = weak,normal,strong

The above, in connection with the previous example, would print something like the following options for selection:

              weak (1536 bits)
              normal (2048 bits)
              strong (3072 bits)

The defaults are as if the following was in effect:

              RSAKeySizes = 1536,-2048,3072,4096
              RSAKeySizeLabels =
              DSAKeySizes = -1024,2048
              DSAKeySizeLabels = v1,v2
              ELGKeySizes = 1536,-2048,3072,4096