Rechercher une page de manuel
fetch-crl
Langue: en
Version: local (ubuntu - 25/10/10)
Section: 8 (Commandes administrateur)
NAME
fetch-crl - retrieve certificate revocation listsSYNOPSIS
fetch-crl [-l locationDirectory] [-o outputDirectory] [-a agingTolerance] [-q]DESCRIPTION
fetch-crl retrieves certificate revocation lists (CRLs). CRLs can be retrieved from web sites using the HTTP or HTTPS protocols and can be in either PEM or DER encoded form. The URLs for the CRL download are to be found in files named hash.r0 and should accompany a CA root certificate with the same hash. Retrieving a CRL without an accompanying CA root certificate will result in a verification failure.OPTIONS
- -h --help
- Show help text.
- -l --loc locationDirectory
- The script will search this directory for files with the suffix '.crl_url'. It is supposed that each one of these files contains the URL of a Certificate Revocation List (CRL) for a Certification Authority. This URL is of the form http://www.myhost.com/myCRL. Note: the CRL files to download must be in either PEM or DER format.
For validity checking of the CA certificates, this script assumes that the certificates of the CAs are found also in this directory.
Default: output directory (see below)
- -o --out outputDirectory
- Directory where to put the downloaded and processed CRLs. The directory to be used as argument for this option is typically /etc/grid-security/certificates
Default: current working directory
- -a --agingtolerance hours
- The maximum age of the locally downloaded CRL before download failures trigger actual error messages. This error message suppression mechanism only works if the crl_url files are named after the hash of the CRL issuer name, a stat(1) command is installed, and a CRL has already been downloaded at least once.
Default: no aging tolerance
- -q --quiet
- Quiet mode (do not print information messages)
- -n, --no-check-certificate
- Do not check the server certificate when retrieving URLs. (see also: SERVERCERTCHECK=no in /etc/fetch-crl.conf.
NOTES
Defaults can be set in the fetch-crl system configuration file /etc/fetch-crl.conf, using the CRLDIR and QUIET directives. If you want a specific version of OpenSSL to be used by fetch-crl for converting and validating CRLs, set the FETCH_CRL_OPENSSL environment variable (via /etc/fetch-crl.conf). For historical reasons, if /etc/fetch-crl.conf does not exist, but /etc/sysconfig/fetch-crl does, the latter file is read instead.The script will try to use the latest version of OpenSSL to be found anywhere in your path or in /usr/bin , /usr/local/bin (or in the $GLOBUS_LOCATION/bin directory when available). Use of the latest version of OpenSSL is strongly encouraged.
The fetch-crl script should preferably be run from cron(8) at least once every day. See /usr/share/doc/fetch-crl-version for en example cron job to install.
Other configuration variables recognised in /etc/fetch-crl.conf:
- WGET_RETRIES n
- Number of attempts of wget to obtain the CRL from the specified location.
- WGET_TIMEOUT seconds
- Number of seconds to wait for each stage of the http GET request (i.e. seconds sec for DNS resolving, and the same amount for downloading, etc.)
- SERVERCERTCHECK {yes,no}
- When set to "no", the check of the server certificate validity is suppressed (applies to wget version 1.10 and higher only).
- WGET_OPTS options
- Additional command-line arguments to be passed to the invocations of wget.
- LOGFILE filename
- In addition to all other message output mechanisms, also append generated messages to the file filename
- CRL_AGING_THRESHOLD hours
- Only complain about failed CRL download if the download failed persistently for more than hours consecutive hours, or if the current time is past the advertised nextUpdate time for this CRL.
SEE ALSO
openssl(1)DIAGNOSTICS
Exit status is normally 0; if an error occurs, exit status is 1 and diagnostics will be written to standard error.BUGS
The fetch-crl program cannot handle CRLs for multiple certificates with the same hash value.Contenus ©2006-2024 Benjamin Poulain
Design ©2006-2024 Maxime Vantorre