For a DER encoded file, dirmngr fails immediately:
> dirmngr-client --validate dirmngr_daemon-test2.crt.der; echo $? dirmngr-client: no certificate or invalid encoded 2
It works after converting it to PEM format first:
> openssl x509 -inform der -text -outform pem < dirmngr_daemon-test2.crt.der > crt.pem > dirmngr-client --validate crt.pem dirmngr-client: validation of certificate failed: Missing issuer certificate
This is because dirmngr tries to parse the certificate as PEM first, and if that fails falls back to DER.
However, the PEM parsing failure adds an error, which trips this check:
if (log_get_errorcount (0)) exit (2);
Originally found by openQA: https://openqa.opensuse.org/tests/1854025#step/dirmngr_daemon/21