&kleopatra; is a tool for managing X.509 and OpenPGP certificates.



<chapter id="introduction"
> <title

&kleopatra; is the &kde; tool for managing X.509 and OpenPGP certificates in the &gpgsm; and &gpg; keyboxes and for retrieving certificates from &ldap; and other certificate servers.

>&kleopatra; can be started from &kmail;'s <menuchoice
> <guimenuitem
>Certificate Manager</guimenuitem
> menu, as well as from the command line. The &kleopatra; executable is named <userinput

This program is named after Cleopatra, a famous female Egyptian pharaoh that lived at the time of Julius Caesar, with whom she had a child, Caesarion, unacknowledged as his heir.

>O nome escolleuse porque este programa ten a súa orixe nos <ulink url=""
>Proxectos &Auml;gypten</ulink
> (&Auml;gypten é Exipto en alemán). &kleopatra; é como se escribe Cleopatra en alemán.</para


<chapter id="functions"
>Funcións principais</title>

<sect1 id="functions-view"
>Ver a caixa de chaves local</title>

A función principal do &kleopatra; é mostrar e modificr o contido da caixa de chaves local, que é un concepto semellante aos chaveiros de &gpg;, ainda que non conveña estender demasiado esta analoxía.

>The main window is divided into the large key listing area consisting of several tabs, the menubar and the <link linkend="functions-search"
>search bar</link
> on top, and a status bar at the bottom.</para>

>Cada liña da listaxe de chaves corresponde a un certificado, que se identifica polo chamado <guilabel
>&dn; do suxeito</guilabel
>. &dn; é un acrónimo de <quote
>Nome Distinguido</quote
Nome Distinguido, un identificador xerárquico moi semellante a un camiño nun sistema de ficheiros cunha sintaxe diferente, que permite identificar un certificado dado de forma unívoca e global.

>To be valid, and thus usable, (public) keys need to be signed by a &ca; (Certification Authority). These signatures are called certificates, but usually the terms <quote
> and <quote
>(public) key</quote
> are used interchangeably, and we will not distinguish between them in this manual either, except when explicitly noted.</para>

>As &ca; deben, pola súa vez, ser asinadas por outras &ca; para seren válidas. Obviamente isto debe parar nalgures, polo que a &ca; de nivel superior (&ca; raiz) asina a súa chave consigo mesma (isto chámase auto-sinatura). En consecuencia, para os certificados raiz hai que asginarlles unha validez (chamada normalmente confianza) manualmente). &eg; despois de comparar a pegada coa do sitio web da &ca;. Isto faino normalmente o administrador do sistema ou o vendedor do produto que emprega os certificados, mais tamén o pode facer o usuario mediante a interface de liña de comandos do &gpgsm;.</para>

>To see which of the certificates are root certificates, you switch to the hierarchical keylist mode with <xref linkend="view-hierarchical-key-list"/>.</para>

>You can see the details of any certificate by double-clicking it or using <xref linkend="view-certificate-details"/>. This opens a dialog that shows the most common properties of the certificate, its certificate chain (&ie; the chain of issuers up to the root-&ca;), and a dump of all information the backend is able to extract from the certificate.</para>

>If you change the keybox without using &kleopatra; (&eg; using &gpgsm;'s command line interface), you can refresh the view with <xref linkend="view-redisplay"/>.</para>

<sect1 id="functions-search"
>Procurar e importar certificados</title>

Most of the time, you will acquire new certificates by verifying signatures in emails, since certificates are embedded in the signatures made using them most of the time. However, if you need to send a mail to someone you have not yet had contact with, you need to fetch the certificate from an &ldap; folder (although &gpgsm; can do this automatically), or from a file. You also need to import your own certificate after receiving the &ca; answer to your certification request.

>To search for a certificate in an &ldap; directory, select <menuchoice
>Lookup Certificates on Server</guimenuitem
> and enter some text (&eg; the name of the person you want the certificate for) into the line edit of the <guilabel
>Keyserver Certificate Lookup</guilabel
> dialog, then click on the <guilabel
> button. The results will be displayed in the key list below the search bar, where you can select certificates to look at them by clicking the <guibutton
> button or download them with <guibutton
> into the local keybox.</para>
>You can configure the list of &ldap; servers to search in the <link linkend="configuration-directory-services"
>Directory Services</guilabel
> page of &kleopatra;'s configure dialog.</para>

>If you received the certificate as a file, try <xref linkend="file-import-certificates"/>. &gpgsm; needs to understand the format of the certificate file; please refer to &gpgsm;'s manual for a list of supported file formats.</para>

>If you did not <link linkend="functions-newkey"
>create your keypair with &gpgsm;</link
>, you also need to manually import the public key (as well as the secret key) from the PKCS#12 file you got from the &ca;. You can do this on the command line with <link linkend="commandline-option-import-certificate"
>kleopatra <option
> <filename
> or from within &kleopatra; with <xref linkend="file-import-certificates"/>, just as you would to for <quote
> certificates.</para>


<sect1 id="functions-newkey"
>Crear pares novos de chaves</title>

>The menu item <xref linkend="file-new-key-pair"/> starts the <guilabel
>Certificate Creation Wizard</guilabel
> which will guide you through a number of steps to create a certificate request.</para
>Cando remate cun paso no asistente, prema <guibutton
> para o próximo paso (ou <guibutton
> para revisar os pasos xa completados). A creación do pedido de certificado pódese cancelar en calquer momento premendo o botón <guibutton
>. </para>
>On the first page of the wizard choose which type of certificate you want to create:</para>


>Create a personal OpenPGP key pair</guilabel
>OpenPGP key pairs are created locally, and certified by your friends and acquaintances. There is no central certification authority; instead, every individual creates a personal Web Of Trust by certifying other user's key pairs with his own certificate.</para>
>You have to enter a <guilabel
>, <guilabel
> and optional a <guilabel
>Create a personal X.509 key pair and certification request</guilabel
>X.509 key pairs are created locally, but certified centrally by a certification authority (&ca;). &ca;s can certify other &ca;s, creating a central, hierarchical chain of trust.</para>
>The next step in the wizard is to type in your personal data for the certificate. The fields to fill out are: <itemizedlist>
>Common Name (CN): </guilabel
>Your name;</para>
>Email address (EMAIL): </guilabel
>Your email address; be sure to type this in correctly&mdash;this will be the address people will be sending mail to when they use your certificate.</para>
>Location (L): </guilabel
>The town or city in which you live;</para>
>Organizational unit (OU): </guilabel
>The organizational unit you are in (for example, "Logistics");</para
>Organization (O): </guilabel
>The organization you represent (for example, the company you work for);</para>
>Country code (C): </guilabel
>The two letter code for the country in which you are living (for example, "US");</para>
O paso seguinte do asistente é seleccionar se almacenar o certificado nun ficheiro ou enviarllo directamente a unha &ca;. Terá que especificar o nome de ficheiro ou enderezo de correo electrónico ao que enviar o pedido de certificado.

<chapter id="menu"
>Referencia do menú</title>

<sect1 id="menufile"
> Menu</title>


<varlistentry id="file-new-key-pair">
><keycombo action="simul"
> <guimenu
>New Certificate...</guimenuitem

>Creates a new key pair (public and private)</action
> and allows to send the public part to a certification authority (&ca;) for signing. The resulting certificate is then sent back to you, or stored in an &ldap; server for you to download into your local keybox, where you can use it to sign and decrypt mails.</para>

>This mode of operation is called <quote
>decentralized key generation</quote
>, since all keys are created locally. &kleopatra; (and &gpgsm;) do not support <quote
>centralized key generation</quote
> directly, but you can import the public/secret key bundle that you receive from the &ca; in PKCS#12 format via <xref linkend="file-import-certificates"/>.</para>

        <varlistentry id="file-lookup-certificates">
><keycombo action="simul"
> <guimenu
>Lookup Certificates on Server...</guimenuitem
> </menuchoice>
>Searches for, and imports, certificates from certificate servers into the local keybox.</action
> See <xref linkend="functions-search"/> for details. </para>
>You need to have key servers configured for this to work. See <xref linkend="configuration-directory-services"/> for more details. </para>

        <varlistentry id="file-import-certificates">
><keycombo action="simul"
> <guimenu
>Import Certificates...</guimenuitem
> </menuchoice>
>Imports certificates and/or secret keys from files into the local keybox.</action
> See <xref linkend="functions-search"/> for details. </para>
>The format of the certificate file must be supported by &gpgsm;/&gpg;. Please refer to the &gpgsm; and &gpg; manuals for a list of supported formats. </para>

        <varlistentry id="file-export-certificates">
><keycombo action="simul"
> <guimenu
>Export Certificates...</guimenuitem
> </menuchoice>
>Exports the selected certificates to a file.</action>
>The filename extension you choose for the export file name determines the format of the export file: </para>
>For OpenPGP certificates, <filename class="extension"
> and <filename class="extension"
> will result in a binary file, whereas <filename class="extension"
> will result in an &ascii;-armored file. </para>
>For &smime; certificates, <filename class="extension"
> will result in a binary, &der;-encoded file, whereas <filename class="extension"
> will result in an &ascii;-armored file. </para>
>Unless multiple certificates are selected, &kleopatra; will propose <filename
> as the export file name. </para>
>This function is only available when one or more certificates have been selected. </para>
>This function exports only the public keys, even if the secret key is available. Use <xref linkend="file-export-secret-key"/> to export both public and secret keys into a file, but note that this is almost always a bad idea. </para>

        <varlistentry id="file-export-secret-key">
>Export Secret Key...</guimenuitem
> </menuchoice>
>Exports both the public and the secret key to a file.</action>
>In the dialog that opens, you can choose an <guilabel
>Output file</guilabel
> name, and whether to create a binary or an &ascii;-armored export file (<guilabel
>ASCII armor</guilabel
>). When exporting &smime; secret keys, you can also choose the <guilabel
>Passphrase charset</guilabel
>. See the discussion of the <option
> option in the &gpgsm; manual for more details. </para>
>This function is only available when exactly one certificate has been selected, and the secret key for that certificate is available. </para>
>It should rarely be necessary to use this function, and if it is, it should be carefully planned. Planning the migration of a secret key involves choice of transport media and secure deletion of the key data on the old machine, as well as on the transport medium, among other things. </para>

><keycombo action="simul"
> <guimenu
>Export Certificates to Server...</guimenuitem
> </menuchoice>
>Publish the selected certificates on a keyserver</action
> (&openpgp; only). </para>
>The certificate is sent to the certificate server configured for &openpgp; (cf.&nbsp;<xref linkend="configuration-directory-services"/>), if that is set, otherwise to <systemitem class="systemname"
>. </para>
>This function is only available if at least one &openpgp; (and no &smime;) certificates have been selected. </para>
>Most public &openpgp; certificate servers synchronize certificates amongst each other, so there is little point in sending to more than one. </para>
>It can happen that a search on a certificate server turns up no results even though you just have sent your certificate there. This is because most public keyserver addresses use <acronym
> round-robin to balance the load over multiple machines. These machines synchronize with each other, but usually only every 24 hours or so. </para>

>Decrypt/Verify Files...</guimenuitem
> </menuchoice>
>Decrypts files and/or verifies signatures</action
> over files. </para>
              See <xref linkend="function-decrypt-verify-files"/> for details.

>Sign/Encrypt Files...</guimenuitem
> </menuchoice>
>Signs and/or encrypts files.</action>
              See <xref linkend="function-sign-encrypt-files"/> for details.

><keycombo action="simul"
> <guimenu
> </menuchoice>
>Closes &kleopatra;'s main window.</action
> You can restore it from the system tray icon at any time. </para>

<varlistentry id="file-quit">
><keycombo action="simul"
> <guimenu

>Termina o &kleopatra;.</action


<sect1 id="menuview"
> Menu</title>


        <varlistentry id="view-redisplay">
><keycombo action="simul"
> <guimenu
> </menuchoice>
>Refreshes the certificate list.</action>
>Using this function is usually not necessary, as &kleopatra; monitors the filesystem for changes and automatically refreshes the certificate list when needed. </para>

        <varlistentry id="view-stop-operation">
><keycombo action="simul"
> <guimenu
>Stop Operation</guimenuitem
> </menuchoice>
>Stops (cancels) all pending operations,</action
> &eg; a search, keylisting, or a download. </para>
>This function is only available if at least one operation is active. </para>
>Due to backend limitations, sometimes operations will hang in such a way that this function won't be able to cancel them, right away, or at all. </para>
>In such cases, the only way to restore order is to kill &scdaemon;, &dirmngr;, &gpgsm; and &gpg; processes, in that order, via the operating system tools (<command
>, Windows Task-Manager, &etc;), until the operation get unblocked. </para>

<varlistentry id="view-certificate-details">
>Detalles do Certificado</guimenuitem

>Mostra os detalles do certificado seleccionado nese momento.</action

>This function is only available if exactly one certificate is selected.</para>

>Esta función tamén está disponíbel calcando directamente dúas veces no elemento correspondente da listaxe.</para>

<varlistentry id="view-hierarchical-key-list">
>Hierarchical Certificate List</guimenuitem

>Toggles between hierarchical and flat certificate list mode. </action

>In hierarchical mode, certificates are arranged in issuer/subject relation, so it is easy to see which certification hierarchy a given certificate belongs to, but a given certificate is harder to find initially (though you can of course use the <link linkend="functions-search"
>search bar</link

>No modo simple, móstranse todos os certificados nunha lista normal, ordenada alfabeticamente. Neste modo resulta doado atopar un certificado determinado, mais non é directamente claro a que certificado raiz pertence.</para>

>This function toggles hierarchical mode per tab, &ie; each tab has its own hierarchy state. This is so that you can have both a flat and a hierarchical listing at hand, each in its own tab. </para>

>Hierarchical display is currently only implemented for &smime; certificates. There is disagreement amongst the developers regarding the correct way to display &openpgp; certificates hierarchically (basically, <quote
>parent &equals; signer</quote
> or <quote
>parent &equals; signee</quote
>). </para>


<varlistentry id="view-expand-all">
><keycombo action="simul"
> </keycombo
>Expandir Todo</guimenuitem

>Expande todos os elementos da lista na vista da lista de certificados,</action
> &ie; torna todos os elementos visíbeis.</para>

>Este é o valor por omisión ao entrar no modo de lista de chaves xerárquico.</para>

>Pódese, obviamente, expandir e fechar cada elemento individual por si só.</para>

>This function is only available when <xref linkend="view-hierarchical-key-list"/> is on.</para>


<varlistentry id="view-collapse-all">
><keycombo action="simul"
> </keycombo
>Fechar Todo</guimenuitem

>Fecha todos os elementos da lista da vista da lista de certificados,</action
> &ie; agocha todos os elementos menos os do nivel superior.</para>

>Pódese, obviamente, expandir e fechar cada elemento individual por si só.</para>

>This function is only available when <xref linkend="view-hierarchical-key-list"/> is on.</para>



<sect1 id="menucertificates"
> Menu</title>


        <varlistentry id="certificates-change-owner-trust">
>Change Owner Trust...</guimenuitem
> </menuchoice>
>Changes the Owner Trust of the selected &openpgp; certificate.</action>
              See <xref linkend="functions-manage-wot"/> for details.
>This function is only available when exactly one &openpgp; certificate is selected. </para>

        <varlistentry id="certificates-trust-root">
>Trust Root Certificate</guimenuitem
> </menuchoice>
>Marks this (&smime;) root certificate as trusted.</action>
>In some ways, this is the equivalent of <xref linkend="certificates-change-owner-trust"/> for &smime; root certificates. You can, however, only choose between&mdash;in &openpgp; terms&mdash;<quote
> trust and <quote
>never trust</quote
>. </para>
>The backend (by way of &gpgagent;) will ask at root certificate import time whether to trust the imported root certificate. However, that function must be explicitly enabled in the backend configuration (<option
> in <filename
>, or either <menuchoice
> <guisubmenu
> <guimenuitem
>Allow clients to mark keys as "trusted"</guimenuitem
> or <link linkend="configuration-smime-validation-allow-mark-trusted"
> <guimenuitem
>Allow to mark root certificates as trusted</guimenuitem
> under <xref linkend="settings-configure-kleopatra"/>). </para>
>Enabling that functionality in the backend can lead to popups from &pinentry; at inopportune times (&eg; when verifying signatures), and can thus block unattended email processing. For that reason, and because it is desirable to be able to <emphasis
> a trusted root certificate again, &kleopatra; allows manual setting of trust. </para>
>Due to lack of backend support for this function, &kleopatra; needs to work directly on the &gpgsm; trust database (<filename
>). When using this function, make sure no other crypto operations are in progress that could race with &kleopatra; for modifications to that database. </para>
>This function is only available when exactly one &smime; root certificate is selected, and that certificate is not yet trusted. </para>
>Use <xref linkend="certificates-distrust-root"/> to undo this function. </para>

        <varlistentry id="certificates-distrust-root">
>Distrust Root Certificate</guimenuitem
> </menuchoice>
>Marks this (&smime;) root certificate as not trusted.</action>
>This function is only available when exactly one &smime; root certificate is selected, and that certificate is currently trusted. </para>
>Used to undo <xref linkend="certificates-trust-root"/>. See there for details. </para>

        <varlistentry id="certificates-certify">
>Certify Certificate...</guimenuitem
> </menuchoice>
>Allows you to certify another &openpgp; certificate.</action>
>Change Expire Date...</guimenuitem
> </menuchoice>
>Allows to change the expiry date of your &openpgp; certificate.</action>
>Use this function to extend the lifetime of your &openpgp; certificates as an alternative to either creating a new one, or using unlimited lifetime (<quote
>never expires</quote
>). </para>
>This function is only available if exactly one &openpgp; certificate is selected, and the secret key is available for that certificate. </para>

>Change Passphrase...</guimenuitem
> </menuchoice>
>Allows to change the passphrase of your secret key.</action>
>This function is only available if exactly one certificate is selected, and the secret key is available for that certificate. It requires a very recent backend, since we changed the implementation from direct calling of &gpg; and &gpgsm; to a &gpgme;-based one. </para>
>For security reasons, both the old as well as the new passphrase is asked for by &pinentry;, a separate process. Depending on the platform you are running on and on the quality of the &pinentry; implementation on that platform, it may happen that the &pinentry; window comes up in the background. So, if you select this function and nothing happens, check the operating system's task bar in case a &pinentry; window is open in the background. </para>

>Add User-ID...</guimenuitem
> </menuchoice>
>Allows to add a new User-ID to your &openpgp; certificate.</action>
>Use this to add new identities to an existing certificate as an alternative to creating a new key pair. An &openpgp; user-ID has the following form: </para>
>In the dialog that comes up when you select this function, &kleopatra; will ask you for each of the three parameters (<replaceable
>, <replaceable
> and <replaceable
>) separately, and display the result in a preview. </para>
>These parameters are subject to the same Administrator restrictions as in new certificates. See <xref linkend="functions-newkey"/> and <xref linkend="admin-certificate-request-wizard"/> for details. </para>
>This function is only available when exactly one &openpgp; certificate is selected, and the secret key is available for that certificate. </para>

        <varlistentry id="certificates-delete">
><keycombo action="simul"
> <guimenu
> </menuchoice>
>Deletes the selected certificates</action
> from the local keyring. </para>
>Use this function to remove unused keys from your local keybox. However, since certificates are typically attached to signed emails, verifying an email might result in the key just removed to pop back into the local keybox. So it is probably best to avoid using this function as much as possible. When you are lost, use the <link linkend="functions-search"
>search bar</link
> or the <xref linkend="view-hierarchical-key-list"/> function to regain control over the lot of certificates. </para>
>There is one exception to the above: When you delete one of your own certificates, you delete the secret key along with it. This implies that you will not be able to read past communication encrypted to you using this certificate, unless you have a backup somewhere. </para>
>&kleopatra; will warn you when you attempt to delete a secret key. </para>
>Due to the hierarchical nature of &smime; certificates, if you delete an &smime; issuer certificate (&ca; certificate), all subjects are deleted, too.<footnote
>This is the same as a filesystem: When you delete a folder, you delete all files and folders in it, too.</para
>Naturally, this function is only available if you selected at least one certificate. </para>

        <varlistentry id="certificates-dump-certificate">
>Dump Certificate</guimenuitem
> </menuchoice>
>Shows all information that &gpgsm; has about the selected (&smime;) certificate.</action>
>See the discussion about <option
> in the &gpgsm; manual for details about the output. </para>

<sect1 id="menutools"
> Menu</title>


        <varlistentry id="tools-gnupg-log-viewer">
>Visor de Eexistro do GnuPG...</guimenuitem
> </menuchoice>
>Starts <ulink url="help:/kwatchgnupg/index.html"
>, a tool to present the debug output of &gnupg; applications. If signing, encryption, or verification mysteriously stop working, you might find out why by looking at the log. </para>
>This function is not available on Windows, since the underlying mechanisms are not implemented in the backend on that platform. </para>

        <varlistentry id="certificates-refresh-openpgp">
>Refresh OpenPGP Certificates</guimenuitem
> </menuchoice>
>Refreshes all &openpgp; certificates</action
> by executing <programlisting
> After successful completion of the command, your local keystore will reflect the latest changes with respect to validity of &openpgp; certificates. </para>
>See note under <xref linkend="certificates-refresh-x509"/> for some caveats. </para>

        <varlistentry id="certificates-refresh-x509">
>Refresh X.509 Certificates</guimenuitem
> </menuchoice>
>Refreshes all &smime; certificates</action
> by executing <programlisting
> After successful completion of the command, your local keystore will reflect the latest changes with respect to validity of &smime; certificates. </para>
>Refreshing &x509; or &openpgp; certificates implies downloading all certificates and &crl;s, to check if any of them have been revoked in the meantime. </para>
>This can put a severe strain on your own as well as other people's network connections, and can take up to an hour or more to complete, depending on your network connection, and the number of certificates to check. </para>

        <varlistentry id="file-import-crls">
>Import CRL From File...</guimenuitem
> </menuchoice>
>Lets you manually import &crl;s from files.</action>
>Normally, Certificate Revocation Lists (&crl;s) are handled transparently by the backend, but it can sometimes be useful to import a &crl; manually into the local &crl; cache. </para>
>For &crl; import to work, the &dirmngr; tool must be in the search <envar
>. If this menu item is disabled, you should contact the system administrator and ask them to install &dirmngr;. </para>

<sect1 id="menusettings"
> Menu</title>


        <varlistentry id="settings-self-test">
>Perform Self-Test</guimenuitem
> </menuchoice>
>Performs a set of self-tests and presents their result.</action>
>This is the same set of tests that is run at startup by default. If you disabled startup-time self-tests, you can re-enable them here. </para>
        <varlistentry id="settings-toolbars">
>Shows/hides &kleopatra; toolbars.</action>
>&kleopatra; has two toolbars: <orderedlist>
>Main Toolbar</guilabel>
>This toolbar carries a selection of common functions. You can configure which functions you would like to see here using <xref linkend="settings-configure-toolbars"/>. </para>
>Search Toolbar</guilabel>
>This toolbar carries the search and filtering controls. </para>

        <varlistentry id="settings-show-statusbar">
>Mostrar a Barra de estado</guimenuitem
> </menuchoice>
>Alterna a visibilidade da barra de estado de embaixo.</action>

        <varlistentry id="settings-configure-shortcuts">
>Configurar Atallos...</guimenuitem
> </menuchoice>
>Abre o diálogo normal de configuración de atallos do &kde;, no que se poden asignar e redistribuir os atallos deteclado de todos os elementos do menú.</action>

        <varlistentry id="settings-configure-toolbars">
>Configure Toolbars...</guimenuitem
> </menuchoice>
>Opens the standard &kde; toolbar configuration dialog,</action
> where you can choose which actions to include in &kleopatra;s toolbars. </para>

        <varlistentry id="settings-configure-kleopatra">
>Configurar &kleopatra;...</guimenuitem
> </menuchoice>
>Abre o diálogo de configuración do &kleopatra;.</action>
>See <xref linkend="configuration"/> for details. </para>


> <!-- Settings Menu -->

<sect1 id="menuwindow"
> Menu</title>
>The <guimenu
> menu allows you to manage the tabs. Using the items in this menu you can rename a tab, add a new tab, duplicate the current tab, close the current tab, and move the current tab to the left or right.</para>

>By clicking with the &RMB; click on a tab you open a context menu, where you can also select the same actions.</para>

<sect1 id="menuhelp"
> Menu</title>

>O menú <guimenu
> contén o menú de axuda normal do &kde;.</para>
&; </sect1>


<chapter id="commandline-options"
>Referencia das opcións da liña de comandos</title>

Aquí só se listan as opcións específicas do &kleopatra;. Como con todas as aplicacións do &kde;, pódese obter unha listaxe completa de opcións mediante o comando kleopatra --help
>kleopatra <option


>Run UI server only, hide main window</para>

> <option
>Use OpenPGP for the following operation</para>

> <option
>Use CMS (X.509, S/MIME) for the following operation</para>

<varlistentry id="commandline-option-import-certificate">
> <option
>Especifica un ficheiro ou &URL; desde onde importar certificados (ou chaves secretas).</action

>This is the command line equivalent of <xref linkend="file-import-certificates"/>.</para>

> <option
>Encrypt file(s)</para>

> <option
>Sign file(s)</para>

> <option
>Encrypt and/or sign file(s)</para>

> <option
>Decrypt file(s)</para>

> <option
>Verify file/signature</para>

> <option
>Decrypt and/or verify file(s)</para>



  <chapter id="configuration">
>Configurar o &kleopatra;</title>

>&kleopatra;'s configure dialog can be accessed via <xref linkend="settings-configure-kleopatra"/>. </para>
>Cada unha das súas páxinas está descrita nas seccións embaixo. </para>

    <sect1 id="configuration-directory-services">
>Configuring <guilabel
>Directory Services</guilabel

>On this page, you can configure which &ldap; servers to use for &smime; certificate searches, and which key servers to use for &openpgp; certificate searches. </para>
>This is simply a more user-friendly version of the same settings you also find in <xref linkend="configuration-gnupg-system"/>. Everything you can configure here, you can configure there, too. </para>
>A Note On Proxy Settings</title>
>Proxy settings can be configured for &http; and &ldap; in <xref linkend="configuration-smime-validation"/>, but only for &gpgsm;. For &gpg;, due to the complexity of keyserver options in &gpg; and lack of proper support for them in &gpgconf;, you currently need to modify the config file <filename
> directly. Please refer to the &gpg; manual for details. &kleopatra; will preserve such settings, but does not yet allow to modify them in the &GUI;. </para>
>The <guilabel
>Directory services</guilabel
> table shows which servers are currently configured. Double-click on a cell in the table to change parameters of existing server entries. </para>
>The meaning of the columns in the table is as follows: </para>
        <varlistentry id="configuration-directory-services-scheme">
> <!-- linebreak here'd show up in xref text :/ -->
>Determines the network protocol which is used to access the server. Often-used schemes include <guilabel
> (and its &ssl;-secured sibling <guilabel
>) for &ldap; servers (common protocol for &smime;; the only one supported by &gpgsm;), and <guilabel
>, the Horowitz Keyserver Protocol, nowadays usually &http; Keyserver Protocol, a &http;-based protocol that virtually all public &openpgp; keyservers support. </para>
>Please refer to the &gpg; and &gpgsm; manuals for a list of supported schemes. </para>
        <varlistentry id="configuration-directory-services-server-name">
>Server Name</guilabel
>The domain name of the server, &eg; <systemitem class="systemname"
>. </para>
        <varlistentry id="configuration-directory-services-server-port">
>Server Port</guilabel
>The network port the server is listening on. </para>
>This changes automatically to the default port when you change the <xref linkend="configuration-directory-services-scheme"/>, unless it was set to some non-standard port to begin with. If you changed the default port and cannot get it back, try setting <xref linkend="configuration-directory-services-scheme"/> to <userinput
> and <xref linkend="configuration-directory-services-server-port"/> to <userinput
> (the default for &http;), then take it from there. </para>
        <varlistentry id="configuration-directory-services-base-dn">
>Base DN</guilabel
>The Base-&dn; (only for &ldap; and &ldaps;), &ie; the root of the &ldap; hierarchy to start from. This is often also called <quote
>search root</quote
> or <quote
>search base</quote
>. </para>
>It usually looks like <userinput
>, given as part of the &ldap; &URL;. </para>
        <varlistentry id="configuration-directory-services-user-name">
>User Name</guilabel
>The user name, if any, to use for logging into the server. </para>
>This column is only shown if the option <guilabel
>Show user and password information</guilabel
> (below the table) is checked. </para>
        <varlistentry id="configuration-directory-services-password">
>The password, if any, to use for logging into the server. </para>
>This column is only shown if the option <guilabel
>Show user and password information</guilabel
> (below the table) is checked. </para>
        <varlistentry id="configuration-directory-services-x509">
>Check this column if this entry should be used for &x509; (&smime;) certificate searches. </para>
>Only &ldap; (and &ldaps;) servers are supported for &smime;. </para>
        <varlistentry id="configuration-directory-services-openpgp">
>Check this column if this entry should be used for &openpgp; certificate searches. </para>
>You can configure as many &smime; (&x509;) servers as you want, but only one &openpgp; server is allowed at any time. The &GUI; will enforce this. </para>
>To add a new server, click on the <guibutton
> button. This duplicates the selected entry, if any, or else inserts a default &openpgp; server. Then you can set the <xref linkend="configuration-directory-services-server-name"/>, the <xref linkend="configuration-directory-services-server-port"/>, the <xref linkend="configuration-directory-services-base-dn"/>, and the usual <xref linkend="configuration-directory-services-password"/> and <xref linkend="configuration-directory-services-user-name"/>, both of which are only needed if the server requires authentication. </para>
>To directly insert an entry for &x509; certificates, use <menuchoice
>; use <menuchoice
> for &openpgp;. </para>
>To remove a server from the search list, select it in the list, then press the <guibutton
> button. </para>
>LDAP timeout (minutes:seconds)</guilabel
>. </para>
>Se un dos servidores ten unha base de datos grande, de maneira que mesmo as procuras roazoábeis tipo <userinput
> atinxan o <guilabel
>número máximo de elementos devoltos na solicitude</guilabel
>, pode que queira aumentar este límite. Pode averiguar facilmente se atinxe o límite durante a procura, dado que entón aparecerá unha mensaxe avisando que se limitaron os resultados. </para>
>Algúns servidores poden impoñer os seus propios límites no número de elementos que devolve unha pesquisa. Neste caso, incrementar o límite aquí non resultará en que se devolvan máis elementos. </para>

    <sect1 id="configuration-appearance">
>Configuring <guilabel

      <sect2 id="configuration-appearance-tooltips">
>Configuring <guilabel

>In the main certificate list, &kleopatra; can show details about a certificate in a tooltip. The information displayed is the same as in the <guilabel
> tab of the <guilabel
>Certificate Details</guilabel
> dialog. Tooltips, however, can be restricted to show only a subset of information for a less verbose experience. </para>
>The <guilabel
> is <emphasis
> shown. This is to ensure that tooltips for different certificates do, in fact, differ (this is especially important if only <xref linkend="tooltips-validity"/> has been selected). </para>
>You can independently enable or disable the following information sets: </para>
          <varlistentry id="tooltips-validity">
>Show validity</guilabel
>Shows information about the validity of a certificate: its current status, issuer-&dn; (&smime; only), expiry dates (if any) and certificate usage flags. </para>
>Example: <programlisting
                  -->This certificate is currently valid.
<!--              -->Issuer:            CN=Test-ZS 7,O=Intevation GmbH,C=DE
<!--              -->Validity:          from 25.08.2009 10:42 through 19.10.2010 10:42
<!--              -->Certificate usage: Signing EMails and Files, Encrypting EMails and Files
<!--              -->Key-ID:            DC9D9E43<!--
          <varlistentry id="tooltips-owner">
>Show owner information</guilabel
>Shows information about the owner of the certificate: subject-&dn; (&smime; only), user-IDs (including emails addresses) and ownertrust (&openpgp; only). </para>
>&openpgp; example: <programlisting
                  -->User-ID:           Gpg4winUserA &lt;gpg4winusera@test.hq&gt;
<!--              -->Key-ID:            C6BF6664
<!--              -->Ownertrust:        ultimate<!--
> &smime; example: <programlisting
                  -->Subject:           CN=Gpg4winTestuserA,OU=Testlab,O=Gpg4win Project,C=DE
<!--              -->a.k.a.:            Gpg4winUserA@test.hq
<!--              -->Key-ID:            DC9D9E43<!--
          <varlistentry id="tooltips-details">
>Show technical details</guilabel
>Shows technical information about the certificate: serial number (&smime; only), type, fingerprint and storage location. </para>
>Example: <programlisting
                  -->Serial Number:     27
<!--              -->Certificate type:  1,024-bit RSA (secret certificate available)
<!--              -->Key-ID:            DC9D9E43
<!--              -->Fingerprint:       854F62EEEBB41BFDD3BE05D124971E09DC9D9E43
<!--              -->Stored:            on this computer<!--


      <sect2 id="configuration-appearance-certificate-filters">
>Configuring <guilabel
>Certificate Categories</guilabel

>&kleopatra; allows you to customize the appearance of certificates in the list view. This includes showing a small icon, but you can also influence the foreground (text) and background colors, as well as the font. </para>
>Each certificate category in the list is assigned a set of colors, an icon (optional) and a font in which certificates from that category are displayed. The category list also acts as a preview of the settings. Categories can be freely defined by the administrator or the power user, see <xref linkend="admin-key-filters"/> in <xref linkend="admin"/>. </para>
>To set or change the icon of a category, select it in the list, and press the <guibutton
>Set Icon...</guibutton
> button. The standard &kde; icon selection dialog will appear where you can select an existing icon from the &kde; collection, or load a custom one. </para>
>To remove an icon again, you need to press the <guibutton
>Default Appearance</guibutton
> button. </para>
>To change the text (&ie; foreground) color of a category, select it in the list, and press the <guibutton
>Set Text Color...</guibutton
> button. The standard &kde; color selection dialog will appear where you can select an existing color or create a new one. </para>
>Changing the background color is done in the same way, just press <guibutton
>Set Background Color...</guibutton
> instead. </para>
>Para modificar a fonte disponse de dúas opcións: </para>
>Modify the standard font, used for all list views in &kde;. </para>
>Empregar un tipo de letra personalizado. </para>
>A primeria opción ten a vantaxe de que o tipo de letra será o que escolla para todo o &kde;, mentres que a segunda lle dá control completo sobre o tipo de letra que queira usar. A escolla é súa. </para>
>Para empregar o tipo de letra normal modificado, escolla a categoría na lista e seleccione ou non os modificadores de fonte <guilabel
>, <guilabel
> e/ou <guilabel
>. Pode ver inmediatamente o efecto sobre a fonte na lista de categorías. </para>
>To use a custom font, press the <guibutton
>Set Font...</guibutton
> button. The standard &kde; font selection dialog will appear where you can select the new font. </para>
>You can still use the font modifiers to change the custom font, just as for modifying the standard font. </para>
>To switch back to the standard font, you need to press the <guibutton
>Default Appearance</guibutton
> button. </para>


      <sect2 id="configuration-dn-order">
>Configuring <guilabel
>DN-Attribute Order</guilabel

Ainda que as &dn;s son xerárquicas, a orde dos componentes individuais (chamados &dn;s relativas (RDNS) ou atributos &dn;) non está definida. A orde na que se mostran é, polo tanto, cuestión de gasto persoal ou política da empresa, que é polo que se pode configurar no &kleopatra;.

>Esta opción non só se aplica ao &kleopatra;, mais tamén a todas as aplicacións que empregan a Tecnoloxía do &kleopatra;. No momento de escribir isto, estes inclúen o &kmail;, o &kaddressbook;, así como o propio &kleopatra;, como é obvio.</para

>Esta páxina de configuración consiste basicamente en dúas listas, unha para os atributos coñecidos (<guilabel
>Atributos disponíbeis</guilabel
>) e outra que describe a <guilabel
>Orde actual dos atributos</guilabel

>Both lists contain entries described by the short from of the attribute (&eg; <guilabel
>) as well as the spelled-out form (<guilabel
>Common Name</guilabel

>A lista de <guilabel
>Atributos disponíbeis</guilabel
> está sempre ordenada alfabeticamente, mentres que a orde da lista de <guilabel
>Orde actual dos atributos</guilabel
> reflicte a orde configurada de atributos &dn;: o primeiro atributo da lista é tamén o atributo mostrado en primeiro lugar.</para>

>Só se mostran de todo os atributos listados explicitamente na lista de <guilabel
>Orde actual dos atributos</guilabel
>. O resto fica escondido por omisión.</para>

>Porén, se a entrada de substitución <guilabel
> (<guilabel
>Todos os outros</guilabel
>) está na lista <quote
>, todos os atributos non listados (sexan coñecidos ou non), insírense no lugar de <guilabel
>, na súa orde relativa orixinal.</para>

>Un pequeno exemplo axudará a clarificar isto:</para>

>Dado o &dn;</para>
>O=&kde;, C=US, CN=Dave Devel, X-BAR=foo, OU=&kleopatra;, X-FOO=bar, </para>
>the default attribute order of <quote
>CN, L, _X_, OU, O, C</quote
> will produce the following formatted &dn;:</para>
>CN=Dave Devel, X-BAR=foo, X-FOO=bar, OU=&kleopatra;, O=&kde;, C=US </para>
>while <quote
>CN, L, OU, O, C</quote
> will produce</para>
>CN=Dave Devel, OU=&kleopatra;, O=&kde;, C=US </para>

>Para engadir un atributo á lista da orde de presentación, seleccióneo na lista <guilabel
>Atributos disponíbeis</guilabel
> e prema o botón <guilabel
>Engadir á orde actual dos atributos</guilabel

>Para eliminar un atributo da lista da orde de presentación, seleccióneo na lista <guilabel
>Orde actual dos atributos</guilabel
> e prema o botón <guilabel
>Eliminar da orde actual dos atributos</guilabel

>Para mover un atributo para o principio (ou fin), seleccióneo na lista <guilabel
>Orde actual dos atributos</guilabel
> e prema o botón <guilabel
>Mover ao inicio</guilabel
> (<guilabel
>Mover á fin</guilabel

>Para subir (ou baixar) só unha posición, seleccióneo na lista <guilabel
>Orde actual dos atributos</guilabel
> e prema o botón <guilabel
> (ou <guilabel



    <sect1 id="configuration-crypto-operations">
>Configuring <guilabel
>Crypto Operations</guilabel

      <sect2 id="configuration-crypto-operations-email">
>Configuring <guilabel
>EMail Operations</guilabel

>Here you can configure some aspects of the email operations of &kleopatra;'s &uiserver;. Currently, you can only configure whether to use <quote
>Quick Mode</quote
> for signing and encrypting emails, respectively. </para>
>When <quote
>Quick Mode</quote
> is enabled, no dialog is shown when signing (encrypting) emails, respectively, unless there is a conflict that needs manual resolution. </para>


      <sect2 id="configuration-crypto-operations-file">
>Configuring <guilabel
>File Operations</guilabel

>Here you can configure some aspects of the file operations of &kleopatra;'s &uiserver;. Currently, you can only choose the checksum program to use for <command
>. </para>
>Use <guilabel
>Checksum program to use</guilabel
> to choose which of the configured checksum programs should be used when creating checksum files. </para>
>When verifying checksums, the program to use is automatically found, based on the names of the checksum files found. </para>
>The administrator and power user can completely define which checksum programs to make available to &kleopatra; through so-called <quote
>Checksum Definitions</quote
> in the config file. See <xref linkend="admin-checksum-definitions"/> in <xref linkend="admin"/> for details. </para>



    <sect1 id="configuration-smime-validation">
>Configuring aspects of <guilabel
>S/MIME Validation</guilabel

>On this page, you can configure certain aspects of the validation of &smime; certificates. </para>
>For the most part, this is simply a more user-friendly version of the same settings you also find in <xref linkend="configuration-gnupg-system"/>. Everything you can configure here, you can configure there, too, with the exception of <xref linkend="configuration-smime-validation-refresh-interval"/>, which is &kleopatra;-specific. </para>
>The meaning of the options is as follows: </para>

      <sect2 id="configuration-smime-validation-interval-checking">
>Configuring interval certificate checking</title>

          <varlistentry id="configuration-smime-validation-refresh-interval">
>Check certificate validity every <replaceable
> hours</guilabel
>This option enables interval checking of certificate validity. You can also choose the checking interval (in hours). The effect of interval checking is the same as <xref linkend="view-redisplay"/>; there is no provision for interval scheduling of <xref linkend="certificates-refresh-openpgp"/> or <xref linkend="certificates-refresh-x509"/>. </para
>Validation is performed implicitly whenever significant files in <filename
> change. This option, just like <xref linkend="certificates-refresh-openpgp"/> and <xref linkend="certificates-refresh-x509"/>, therefore only affects external factors of certificate validity. </para>


      <sect2 id="configuration-smime-validation-method">
>Configuring validation method</title>

          <varlistentry id="configuration-smime-validation-use-crls">
>Validate certificates using CRLs</guilabel
>If this option is selected, &smime; certificates are validated using Certificate Revocation Lists (&crl;s). </para>
>See <xref linkend="configuration-smime-validation-use-ocsp"/> for alternative method of certificate validity checking. </para>
          <varlistentry id="configuration-smime-validation-use-ocsp">
>Validate certificates online (OCSP)</guilabel
>If this option is selected, &smime; certificates are validated online using the Online Certificates Status Protocol (&ocsp;). </para>
>When choosing this method, a request is sent to the server of the &ca; more or less each time you send or receive a cryptographic message, thus theoretically allowing the certificate issuing agency to track whom you exchange (&eg;) mails with. </para>
>To use this method, you need to enter the &URL; of the &ocsp; responder into <xref linkend="configuration-smime-validation-ocsp-url"/>. </para>
>See <xref linkend="configuration-smime-validation-use-ocsp"/> for a more traditional method of certificate validity checking that does not leak information about whom you exchange messages with. </para>
          <varlistentry id="configuration-smime-validation-ocsp-url">
>OCSP responder URL</guilabel
>Enter here the address of the server for online validation of certificates (&ocsp; responder). The &URL; usually starts with <literal
>. </para>
          <varlistentry id="configuration-smime-validation-ocsp-signature">
>OCSP responder signature</guilabel
>Choose here the certificate with which the &ocsp; server signs its replies. </para>
          <varlistentry id="configuration-smime-validation-ocsp-ignore-service-url">
>Ignore service URL of certificates</guilabel
>Each &smime; certificate usually contains the &URL; of its issuer's &ocsp; responder (<xref linkend="certificates-dump-certificate"/> will reveal whether a given certificate contains it). </para>
>Checking this option makes &gpgsm; ignore those &URL;s and only use the one configured above. </para>
>Use this to &eg; enforce use of a company-wide &ocsp; proxy. </para>



      <sect2 id="configuration-smime-validation-options">
>Configuring validation options</title>

          <varlistentry id="configuration-smime-validation-dont-check-cert-policy">
>Do not check certificate policies</guilabel
>By default, &gpgsm; uses the file <filename
> to check if a certificate policy is allowed. If this option is selected, policies are not checked. </para>
          <varlistentry id="configuration-smime-validation-never-consult-crl">
>Never consult a CRL</guilabel
>If this option is checked, Certificate Revocation Lists are never used to validate &smime; certificates. </para>
          <varlistentry id="configuration-smime-validation-allow-mark-trusted">
>Allow to mark root certificates as trusted</guilabel
>If this option is checked while a root &ca; certificate is being imported, you will be asked to confirm its fingerprint and to state whether or not you consider this root certificate to be trusted. </para>
>A root certificate needs to be trusted before the certificates it certified become trusted, but lightly allowing trusted root certificates into your certificate store will undermine the security of the system. </para>
>Enabling this functionality in the backend can lead to popups from &pinentry; at inopportune times (&eg; when verifying signatures), and can thus block unattended email processing. For that reason, and because it is desirable to be able to <emphasis
> a trusted root certificate again, &kleopatra; allows manual setting of trust using <xref linkend="certificates-trust-root"/> and <xref linkend="certificates-distrust-root"/>. </para>
>This setting here does not influence the &kleopatra; function. </para>
          <varlistentry id="configuration-smime-validation-fetch-missing-issuers">
>Fetch missing issuer certificates</guilabel
>If this option is checked, missing issuer certificates are fetched when necessary (this applies to both validation methods, &crl;s and &ocsp;). </para>


      <sect2 id="configuration-smime-validation-http-options">
>Configuring &http; request options</title>

          <varlistentry id="configuration-smime-validation-disable-http">
>Do not perform any HTTP requests</guilabel
>Entirely disables the use of &http; for &smime;. </para>
          <varlistentry id="configuration-smime-validation-ignore-http-dp">
>Ignore HTTP CRL distribution point of certificates</guilabel
>When looking for the location of a &crl;, the to-be-tested certificate usually contains what are known as <quote
>&crl; Distribution Point</quote
> (<acronym
>) entries, which are &URL;s describing the way to access the &crl;. The first-found <acronym
> entry is used. </para>
>With this option, all entries using the &http; scheme are ignored when looking for a suitable <acronym
>. </para>
          <varlistentry id="configuration-smime-validation-honor-http-proxy">
>Use system HTTP proxy</guilabel
>If this option is selected, the value of the &http; proxy shown on the right (which comes from the environment variable <envar
>) will be used for any &http; request. </para>
          <varlistentry id="configuration-smime-validation-custom-http-proxy">
>Use this proxy for HTTP requests</guilabel
>If no system proxy is set, or you need to use a different proxy for &gpgsm;, you can enter its location here. </para>
>It will be used for all HTTP requests relating to S/MIME. </para>
>The syntax is <userinput
>, &eg; <userinput
>. </para>


      <sect2 id="configuration-smime-validation-ldap-options">
>Configuring &ldap; request options</title>

          <varlistentry id="configuration-smime-validation-disable-ldap">
>Do not perform any LDAP requests</guilabel
>Entirely disables the use of &ldap; for &smime;. </para>
          <varlistentry id="configuration-smime-validation-ignore-ldap-dp">
>Ignore LDAP CRL distribution point of certificates</guilabel
>When looking for the location of a &crl;, the to-be-tested certificate usually contains what are known as "&crl; Distribution Point" (<acronym
>) entries, which are &URL;s describing the way to access the &crl;. The first found <acronym
> entry is used. </para>
>With this option, all entries using the &ldap; scheme are ignored when looking for a suitable <acronym
>. </para>
          <varlistentry id="configuration-smime-validation-custom-ldap-proxy">
>Primary host for LDAP requests</guilabel
>Entering an &ldap; server here will make all &ldap; requests go to that server first. More precisely, this setting overrides any specified <replaceable
> and <replaceable
> part in an &ldap; &URL; and will also be used if <replaceable
> and <replaceable
> have been omitted from the &URL;. </para>
>Other &ldap; servers will be used only if the connection to the <quote
> failed. The syntax is <userinput
> or <userinput
>. If <replaceable
> is omitted, port 389 (standard &ldap; port) is used. </para>



    <sect1 id="configuration-gnupg-system">
>Configuring the <guilabel
>GnuPG System</guilabel

>This part of the dialog is auto-generated from the output of <command
>gpgconf <option
> and, for each <replaceable
> that the above command returns, the output of <command
>gpgconf <option
> <replaceable
>. </para>
>The most useful of these options have been duplicated as separate pages in the &kleopatra; config dialog. See <xref linkend="configuration-directory-services"/> and <xref linkend="configuration-smime-validation"/> for the two dialog pages which contain selected options from this part of the dialog. </para>
>The exact content of this part of the dialog depends on the version of the &gnupg; backend you have installed and, potentially, the platform you run on. Thus, we will only discuss the general layout of the dialog, including the mapping from &gpgconf; option to &kleopatra; &GUI; control. </para>
>&gpgconf; returns configuration information for multiple components. Inside each component, individual options are combined into groups. </para>
>&kleopatra; displays one tab per component reported by &gpgconf;; groups are headed by a horizontal line displaying the group name as returned from &gpgconf;. </para>
>Each &gpgconf; option has a type. Except for certain well-known options which &kleopatra; backs with specialised controls for a better user experience, the mapping between &gpgconf; types and &kleopatra; controls is as follows: </para>
      <table id="table-gpgconf-types">
>Mapping From &gpgconf; Types To &GUI; Controls</title>
	<tgroup cols="3">
          <colspec colname="type"/>
	  <colspec colname="lists" align="center"/>
          <colspec colname="non-lists" align="center"/>
	      <entry morerows="1"
>&gpgconf; type</entry>
              <entry namest="lists" nameend="non-lists"
>&kleopatra; control</entry>
>for lists</entry>
>for non-lists</entry>
>Spinbox (<quote
              <entry morerows="1"
>Lineedit (unformatted)</entry>
              <entry morerows="1"
>specialised control</entry>
>ldap server</literal
>specialised control</entry>
>key fingerprint</literal
              <entry morerows="3" namest="lists" nameend="non-lists"
>pub key</literal
>sec key</literal
>alias list</literal
>See the &gpgconf; manual for more information about what you can configure here, and how. </para>



<chapter id="admin"
>Guía do Administrador</title>

Esta Guía do Administrador describe as formas de personalizar o &kleopatra; que non están disponíbeis através da interface gráfica, mais só através de ficheiros de configuración.

Asúmese que o lector está familiarizado coa tecnoloxía empregada para a configuración das aplicacións do &kde;, incluído a disposición, localización no sistema de ficheiros e o encadeamento dos ficheiros de configuración do &kde;, así como a infra-estrutura KIOSK.

<sect1 id="admin-certificate-request-wizard"
>Personalización do asistente de creación de certificados</title>

<sect2 id="admin-certificate-request-wizard-dn"
>Customizing the DN fields</title>

O &kleopatra; permite personalizar os campos nos que pode entrar o usuario para axudar na creación do certificado.

>Cree un grupo chamado <literal
>  no ficheiro <filename
> do sistema. Se quere unha orde personalizada dos atributos, ou se quere que só aparezan certos elementos, cree unha chave chamada <varname
>. O argumento é un de entre <varname
>. Se quere inicializar os campos cun valor determinado, escriba algo así como Attribute=valor. Se quere que o atributo se trate como requirido, engada un símbolo de admiración (p. ex. <varname
>, que é, de feito, a configuración por omisión).</para>

>O uso do modificador de modos de <acronym
> <varname
> permite recuperar os valores das variábeis de ambiente ou dun guión ou binario avaliados. Se quere ademais desactivar a edición do campo correspondente, empregue o modificador <varname
>. Se quere desactivar o uso do botón <guibutton
>Inserir o Meu Enderezo</guibutton
>, configure <varname
> como "false".</para>

>Debido á natureza da infra-estrutura <acronym
> do &kde;, o uso da bandeira inalterável (<varname
>) imposibilita que o usuario ignore a bandeira. Este comportamento é o pretendido. <varname
> e <varname
> pódense empregar tamén con todas as demais chaves de configuración das aplicacións do &kde;.</para

>O exemplo seguinte esquematiza as personalizacións posíbeis:</para>

;Disallow to copy personal data from the addressbook, do not allow local override

;sets the user name to $USER

;sets the company name to "My Company", disallows editing
O[$i]=My Company

;sets the department name to a value returned by a script

; sets country to DE, but allows for changes by the user


      <sect2 id="admin-certificate-request-wizard-keys">

>Restricting the Types of Keys a User is Allowed to Create</title>

>&kleopatra; also allows to restrict which type of certificates a user is allowed to create. Note, however, that an easy way around these restrictions is to just create one on the command line. </para>

        <sect3 id="admin-certificate-request-wizard-keys-type">

>Public Key Algorithms</title>

>To restrict the public key algorithm to use, add the config key <varname
> (and <varname
>, but only <acronym
> is supported for <acronym
> anyway) to the <literal
> section of <filename
>. </para>

>The allowed values as <literal
> for <acronym
> keys, <literal
> for <acronym
> (sign-only) keys, and <literal
> for a <acronym
> (sign-only) key with an Elgamal subkey for encryption. </para>

>The default is read from &gpgconf; or else <literal
> if &gpgconf; doesn't provide a default. </para>


        <sect3 id="admin-certificate-request-wizard-keys-size">

>Public Key Size</title>

>To restrict the available keys sizes for a public algorithm, add the config key <varname
> (where <replaceable
> may be <literal
>, <literal
> or <literal
>) to the <literal
> section of <filename
>, containing a comma-separated list of keysizes (in bits). A default may be indicated by prefixing the keysize with a hyphen (<literal
>). </para>

>RSAKeySizes = 1536,-2048,3072

>The above would restrict allowed <acronym
> key sizes to 1536, 2048 and 3072, with 2048 the default. </para>

>In addition to the sizes themselves, you may also specify labels for each of the sizes. Simply set the config key <varname
> to a comma-separated list of labels. </para>

>RSAKeySizeLabels = weak,normal,strong

>The above, in connection with the previous example, would print something like the following options for selection: <programlisting
>weak (1536 bits)
              normal (2048 bits)
              strong (3072 bits)

>The defaults are as if the following was in effect: <programlisting
>RSAKeySizes = 1536,-2048,3072,4096
              RSAKeySizeLabels =
              DSAKeySizes = -1024,2048
              DSAKeySizeLabels = v1,v2
              ELGKeySizes = 1536,-2048,3072,4096




    <sect1 id="admin-key-filters">

>Crear e modificar categorías de chaves</title>

>&kleopatra; allows the user to configure the <link linkend="configuration-appearance-certificate-filters"
>visual appearance</link
> of keys based on a concept called <guilabel
>Key Categories</guilabel
>. <guilabel
>Key Categories</guilabel
> are also used to filter the list of certificates. This section describes how you can edit the available categories and add new ones. </para>

>Ao tentar atopar a categoría á que pertence unha chave, o &kleopatra; tenta que a chave corresponda cunha secuencia de filtros de chaves configurada en <filename
>. A primeira que coincida define a categoría, baseada nun concepto de <emphasis
>, que se explica máis abaixo. </para>

>Cada filtro de chaves está definido nun grupo de configuración que se chama <literal
>Key Filter #<replaceable
>, no que <replaceable
> é un número que comeza en <literal
>. </para>

>The only mandatory keys in a <literal
>Key Filter #<replaceable
> group are <varname
>, containing the name of the category as displayed in the <link linkend="configuration-appearance-certificate-filters"
>config dialog</link
>, and <varname
>, which is used as a reference for the filter in other configuration sections (such as <literal
>View #<replaceable
>). </para>

><xref linkend="table-key-filters-appearance"/> lists all keys that define the display properties of keys belonging to that category (&ie; those keys that can be adjusted in the <link linkend="configuration-appearance-certificate-filters"
>config dialog</link
>), whereas <xref linkend="table-key-filters-criteria"/> lists all keys that define the criteria the filter matches keys against. </para>

      <table id="table-key-filters-appearance">
>Chaves de configuración do filtro de chaves que definen propiedades de configuración</title>
	<tgroup cols="3">
	  <colspec colnum="2" align="center"/>
>Chave de configuración</entry>
>cor de fondo</varname
>A cor de fondo a usar. Se faltar, usa a cor de fondo definida a nivel global para as listas. </entry>
>cor do primeiro plano</varname
>A cor do texto a usar. Se faltar, usa a cor do texto definida a nivel global para as listas. </entry>
>O tipo de letra a usar. Esta fonte axustaráse ao tamaño configurado para as vistas de lista e aplicaránselle todos os atributos de fonte (ver máis abaixo). </entry>
>Se é <literal
> e <varname
> non está definida, emprega a fonte por omisión das listas co estilo negriña engadido (de estar disponíbel). Ignórase se <varname
> estiver tamén presente. </entry>
>Semellante a <varname
>, mais para o estilo de fonte cursiva no canto de negriña. </entry>
>Se é <literal
>, debuxa unha liña centrada por riba da fonte. Aplícase mesmo cando <varname
> tamén estea definida. </entry>
>O nome da icona para mostrar na primeira columna. Ainda non funciona. </entry>

      <table id="table-key-filters-criteria">
>Chaves de configuración do filtro de chaves que definen criterios de filtrado</title>
	<tgroup cols="3">
	  <colspec colnum="2" align="center"/>
>Chave de configuración</entry>
>Se están especificadas, o filtro coincide cando...</entry>
>a chave foi revogada.</entry>
> <para
>Context is an enumeration with the following allowed values: <literal
>, <literal
> and <literal
>. </para>
>the context in which this filter matches.</entry>
>a chave caducou.</entry>
>a chave foi desactivada (marcada para que non se utilice) polo usuasrio. Ignórase para as chaves &smime;. </entry>
>a chave é un certificado raiz. Ignórase para as chaves OpenPGP. </entry>
>a chave pode ser utilizada para cifrar. </entry>
>a chave pode ser utilizada para asinar. </entry>
>a chave pode ser utilizada para asinar (certificar) outras chaves. </entry>
>a chave pode ser utilizada para autenticar (&eg; como certificado de cliente <acronym
>). </entry>
>the key can be used to make Qualified Signatures (as defined by the German Digital Signature Law). </entry>
>the key material is stored on a smartcard (instead of on the computer). </entry>
>a chave secreta deste par da chaves está disponíbel. </entry>
>a chave é unha chave OpenPGP (<literal
>), ou unha chave &smime; (<literal
>). </entry>
>the key has been validated. </entry>
> <para
>A validez é unha enumeración (ordenada) cos valores adicionais seguintes: <literal
> (descoñecida), <literal
> (sen definir), <literal
> (nunca), <literal
> (marxinal), <literal
> (completa), <literal
> (definitiva). Vexa os manuais do &gpg; e o &gpgsm; para unha explicación detallada </para>
>a chave ten exactamente (<replaceable
>), ten calquer cousa excepto (<replaceable
>), ten polo menos (<replaceable
>) ou ten como máximo (<replaceable
>) o grao de confianza dado como valor da chave de configuración. Non está definido o comportamento se nun mesmo grupo están presentes máis chaves de entre <varname
>  (con valores <replaceable
>. </entry>
>Semellante a <varname
>, mais para a validez da chave no canto do grao de confianza do dono. </entry>

>Alguns dos criterios máis interesantes, como <varname
> ou <varname
> só funcionarán coas chaves <emphasis
>, que é polo que só se comproban as chaves validades a nivel de revogación e caducidade, ainda que vostede sexa libre de eliminar estas comprobacións extra. </para>

>Para alén das chaves de configuración indicadas arriba, un filtro de chaves pode ter tamén un <varname
> e un <varname
>. </para>

>Usando o <varname
> do filtro, que por omisión é o nome do grupo da configuración do filtro se non é baleiro, pode referenciar o filtro de chaves noutro lugar da configuración, &eg; nas configuracións de Vista do &kleopatra;. &kleopatra; non interpreta <varname
>, así que pode empregar calquer cadea que queira, con só que sexa única. </para>

> limita a aplicabilidade do filtro. Actualmente defínense dous contextos: O contexto <literal
> emprégase ao definir as propiedades de cor de tipo de letra das vistas. O contexto <literal
> emprégase para incluir (e excluir) certificados selectivamente das vistas. Pódese empregar <literal
> para significar todos os contextos definidos nese momento e é o predefinido se non se fornece <varname
>, ou se non non produce contextos. Isto garante que ningún filtro de chaves pode terminar <quote
>, &ie; sen contextos sobre os que se aplicar. </para>

>The format of the entry is a list of tokens, separated by non-word characters. Each of the tokens is optionally prefixed by an exclamation point (<literal
>), indicating negation. The tokens act in order on an internal list of contexts, which starts out empty. This is best explained by an example: <literal
>any !appearance</literal
> is the same as <literal
>, and <literal
>appearance !appearance</literal
> is producing the empty set, as is <literal
>. However, the last two will be internally replaced by <literal
>, since they produce no contexts at all. </para>

>En xeral, os criterios non especificados (&ie; non se define a entrada de configuración) non se verifican. Se se fornece un criterio, compróbase e debe coincidir para que o filtro como un todo coincida, &ie; os criterios agrúpanse cun E lóxico. </para>

>Each filter has an implied <quote
> that is used to rank all matching filters. The more specific filter wins over less specific ones. If two filters have the same specificity, the one that comes first in the config file wins. A filter's specificity is proportional to the number of criteria it contains. </para>

>Exemplos de filtros de chaves</title>
>Para verificar todos os certificados raiz caducados mais non revogados, emprégase un filtro de chaves que se define da seguinte forma: </para>
<!-- isn't there a better way to not indent this in the output??? -->
-->[Key Filter #<replaceable
Name=caducada mais non revogada
; ( specificity 4 )<!--
>Para verificar todas as chaves OpenPGP desactivadas (ainda non posíbel en &kleopatra;) cun grao de confianza polo menos <quote
>, emprégase: </para>
-->[Key Filter #<replaceable
Name=chaves de OpenPGP desactivadas con confianza marxinal ou boa
; ( specificity 3 )<!--


    <sect1 id="admin-archive-definitions">

>Configuring Archivers for Use with Sign/Encrypt Files</title>

>&kleopatra; allows the administrator (and power-user) to configure the list of archivers that are presented in the Sign/Encrypt Files dialog. </para>

>Each archiver is defined in <filename
> as a separate <literal
> group, with the following mandatory keys: </para>


        <varlistentry id="archive-definition-extensions">
>A comma-separated list of filename extensions that usually indicate this archive format. </para>

        <varlistentry id="archive-definition-id">
>A unique ID used to identify this archiver internally. If in doubt, use the name of the command. </para>

        <varlistentry id="archive-definition-Name">
> (translated)</term>
>The user-visible name of this archiver, as shown in the corresponding drop-down menu of the Sign/Encrypt Files dialog. </para>

        <varlistentry id="archive-definition-pack-command">
>The actual command to archive files. You can use any command, as long as no shell is required to execute it. The program file is looked up using the <envar
> environment variable, unless you use an absolute file path. Quoting is supported as if a shell was used: <programlisting
>pack-command="/opt/ZIP v2.32/bin/zip" -r -</programlisting>


      <note id="backslashes-in-config-keys">
>Since backslash (<literal
>) is an escape character in KDE config files, you need to double them when they appear in path names: <programlisting
> However, for the command itself (as opposed to its arguments), you may just use forward slashes (<literal
>) as path separators on all platforms: <programlisting
> This is not supported in arguments, as most Windows programs use the forward slash for options. For example, the following will not work, since <literal
> is an argument to <command
>, and <literal
> is not converted to <literal
> in arguments, only commands: <programlisting
>pack-command=cmd.exe C:/myarchivescript.bat</programlisting
> This needs, instead, to be written as: <programlisting
>pack-command=cmd.exe C:\\myarchivescript.bat</programlisting>

      <sect2 id="admin-archive-definitions-filename-passing">

>Input Filename Passing for <literal

>There are three ways to pass filenames to the pack command. For each of these, <literal
> provides a particular syntax: </para>


>As command-line arguments.</para>
>Example (tar): <programlisting
>pack-command=tar cf -</programlisting
> Example (zip): <programlisting
>pack-command=zip -r - %f</programlisting
> In this case, filenames are passed on the command line, just like you would when using the command prompt. &kleopatra; does not use a shell to execute the command. Therefore, this is a safe way of passing filenames, but it might run into command line length restrictions on some platforms. A literal <literal
>, if present, is replaced by the names of the files to archive. Otherwise, filenames are appended to the command line. Thus, the zip Example above could equivalently be written like this: <programlisting
>pack-command=zip -r -</programlisting>

>Via standard-in, separated by newlines: prepend <literal
>Example (GNU-tar): <programlisting
>pack-command=|gtar cf - -T-</programlisting
> Example (ZIP): <programlisting
>pack-command=|zip -@ -</programlisting
> In this case, filenames are passed to the archiver on <acronym
>, one per line. This avoids problems on platforms which place a low limit on the number of command line arguments that are allowed, but fails when filenames, in fact, contain newlines. </para>
>&kleopatra; currently only supports <acronym
> as a newline separator, not <acronym
>. This might change in future versions, based on user feedback. </para>

>Via standard-in, separated by NUL-bytes: prepend <literal
>Example (GNU-tar): <programlisting
>pack-command=0|gtar cf - -T- --null</programlisting
> This is the same as above, except that NUL bytes are used to separate filenames. Since NUL bytes are forbidden in filenames, this is the most robust way of passing filenames, but not all archivers support it. </para>


> <!-- Input Filename Passing for pack-command -->

> <!-- Archive Definitions -->

    <sect1 id="admin-checksum-definitions">

>Configuring Checksum Programs for Use with Create/Verify Checksums</title>

>&kleopatra; allows the administrator (and power-user) to configure the list of checksum programs that the user can choose from in the config dialog and that &kleopatra; is able to auto-detect when asked to verify a given file's checksum. </para>

>To be usable by &kleopatra;, output of checksum programs (both the written checksum file, as well as the output on <acronym
> when verifying checksums) needs to be compatible with <acronym
> <command
> and <command
>. </para>

>Specifically, the checksum file needs to be line-based with each line having the following format: <programlisting
><replaceable>CHECKSUM</replaceable> ' ' ( ' ' | '*' ) <replaceable>FILENAME</replaceable></programlisting
> where <replaceable
> consists of hex-characters only. If <replaceable
> contains a newline character, the line must instead read: <programlisting
>\<replaceable>CHECKSUM</replaceable> ' ' ( ' ' | '*' ) <replaceable>ESCAPED-FILENAME</replaceable></programlisting
> where <replaceable
> is the filename with newlines replaced by <literal
>s, and backslashes doubled (<literal
>). </para>

>Similarly, the output of <xref linkend="checksum-definition-verify-command"/> must be of the form <programlisting
><replaceable>FILENAME</replaceable> ( ': OK' | ': FAILED' )</programlisting
> separated by newlines. Newlines and other characters are <emphasis
> escaped in the output.<footnote
> <para
>Yes, these programs were not written with graphical frontends in mind, and &kleopatra; will fail to correctly parse pathological filenames that contain ":&nbsp;OK" plus newline in them. </para>

>Each checksum program is defined in <filename
> as a separate <literal
> group, with the following mandatory keys: </para>


        <varlistentry id="checksum-definition-file-patterns">
>A list of regular expressions that describe which files should be considered checksum files for this checksum program. The syntax is the one used for string lists in KDE config files. <note
> <para
> Since regular expressions usually contain backslashes, care must be taken to properly escape them in the config file. The use of a config file editing tool is recommended. </para
> </note
> The platform defines whether the patterns are treated case-sensitive or case-insensitive. </para>

        <varlistentry id="checksum-definition-output-file">
>The typical output filename for this checksum program (should match one of the <xref linkend="checksum-definition-file-patterns"/>, of course). This is what &kleopatra; will use as the output filename when creating checksum files of this type. </para>

        <varlistentry id="checksum-definition-id">
>A unique ID used to identify this checksum program internally. If in doubt, use the name of the command. </para>

        <varlistentry id="checksum-definition-Name">
> (translated)</term>
>The user-visible name of this checksum program, as shown in the drop-down menu in &kleopatra;'s config dialog. </para>

        <varlistentry id="checksum-definition-create-command">
>The actual command with which to create checksum files. The syntax, restrictions and argument passing options are the same as described for <xref linkend="archive-definition-pack-command"/> in <xref linkend="admin-archive-definitions"/>. </para>

        <varlistentry id="checksum-definition-verify-command">
>Same as <xref linkend="checksum-definition-create-command"/>, but for checksum verification. </para>


>Here is a complete example: <programlisting
>[Checksum Definition #1]
          Name=sha1sum (GNU)
          Name[de]=sha1sum (GNU)
          create-command=sha1sum -- %f
          verify-command=sha1sum -c -- %f

> <!-- Checksum Definition -->

> <!-- Administrator's Guide -->

<chapter id="credits-and-license">
>Créditos e Licenza</title>

>&kleopatra; copyright 2002 &Steffen.Hansen;, &Matthias.Kalle.Dalheimer; and &Jesper.Pedersen;., copyright 2004 &Daniel.Molkentin;, copyright 2004, 2007, 2008, 2009, 2010 Klar&auml;lvdalens Datakonsult AB</para>

>Documentation copyright 2002 &Steffen.Hansen;, copyright 2004 &Daniel.Molkentin;, copyright 2004, 2010 Klar&auml;lvdalens Datakonsult AB</para>

>&Marc.Mutz; &Marc.Mutz.mail;</para>
>&David.Faure; &David.Faure.mail;</para>
>&Steffen.Hansen; <email
>&Matthias.Kalle.Dalheimer; &Matthias.Kalle.Dalheimer.mail;</para>
>&Jesper.Pedersen; &Jesper.Pedersen.mail;</para>
>&Daniel.Molkentin; &Daniel.Molkentin.mail;</para>

>Tradución da documentación: Xosé Calvo -</para
&underFDL; &underGPL; </chapter>


