fetch-crl

Langue: en

Autres versions - même langue

Version: local (ubuntu - 25/10/10)

Section: 8 (Commandes administrateur)

Sommaire

NAME

fetch-crl - retrieve certificate revocation lists

SYNOPSIS

fetch-crl [-l locationDirectory] [-o outputDirectory] [-a agingTolerance] [-q]

DESCRIPTION

fetch-crl retrieves certificate revocation lists (CRLs). CRLs can be retrieved from web sites using the HTTP or HTTPS protocols and can be in either PEM or DER encoded form. The URLs for the CRL download are to be found in files named hash.r0 and should accompany a CA root certificate with the same hash. Retrieving a CRL without an accompanying CA root certificate will result in a verification failure.

OPTIONS

-h --help
Show help text.
-l --loc locationDirectory
The script will search this directory for files with the suffix '.crl_url'. It is supposed that each one of these files contains the URL of a Certificate Revocation List (CRL) for a Certification Authority. This URL is of the form http://www.myhost.com/myCRL. Note: the CRL files to download must be in either PEM or DER format.

For validity checking of the CA certificates, this script assumes that the certificates of the CAs are found also in this directory.

Default: output directory (see below)

-o --out outputDirectory
Directory where to put the downloaded and processed CRLs. The directory to be used as argument for this option is typically /etc/grid-security/certificates

Default: current working directory

-a --agingtolerance hours
The maximum age of the locally downloaded CRL before download failures trigger actual error messages. This error message suppression mechanism only works if the crl_url files are named after the hash of the CRL issuer name, a stat(1) command is installed, and a CRL has already been downloaded at least once.

Default: no aging tolerance

-q --quiet
Quiet mode (do not print information messages)
-n, --no-check-certificate
Do not check the server certificate when retrieving URLs. (see also: SERVERCERTCHECK=no in /etc/fetch-crl.conf.

NOTES

Defaults can be set in the fetch-crl system configuration file /etc/fetch-crl.conf, using the CRLDIR and QUIET directives. If you want a specific version of OpenSSL to be used by fetch-crl for converting and validating CRLs, set the FETCH_CRL_OPENSSL environment variable (via /etc/fetch-crl.conf). For historical reasons, if /etc/fetch-crl.conf does not exist, but /etc/sysconfig/fetch-crl does, the latter file is read instead.

The script will try to use the latest version of OpenSSL to be found anywhere in your path or in /usr/bin , /usr/local/bin (or in the $GLOBUS_LOCATION/bin directory when available). Use of the latest version of OpenSSL is strongly encouraged.

The fetch-crl script should preferably be run from cron(8) at least once every day. See /usr/share/doc/fetch-crl-version for en example cron job to install.

Other configuration variables recognised in /etc/fetch-crl.conf:

WGET_RETRIES n
Number of attempts of wget to obtain the CRL from the specified location.
WGET_TIMEOUT seconds
Number of seconds to wait for each stage of the http GET request (i.e. seconds sec for DNS resolving, and the same amount for downloading, etc.)
SERVERCERTCHECK {yes,no}
When set to "no", the check of the server certificate validity is suppressed (applies to wget version 1.10 and higher only).
WGET_OPTS options
Additional command-line arguments to be passed to the invocations of wget.
LOGFILE filename
In addition to all other message output mechanisms, also append generated messages to the file filename
CRL_AGING_THRESHOLD hours
Only complain about failed CRL download if the download failed persistently for more than hours consecutive hours, or if the current time is past the advertised nextUpdate time for this CRL.

SEE ALSO

openssl(1)

DIAGNOSTICS

Exit status is normally 0; if an error occurs, exit status is 1 and diagnostics will be written to standard error.

BUGS

The fetch-crl program cannot handle CRLs for multiple certificates with the same hash value.