Index of /distribution/util/fetch-crl
Name Last modified Size Description
![[DIR]](/icons/back.gif)
Parent Directory -
![[TXT]](/icons/text.gif)
CHANGES 05-Apr-2010 19:10 8.6K
VERSION-2.8.5-IS-CUR..> 03-Jun-2010 11:20 0
![[ ]](/icons/unknown.gif)
fetch-crl-2.5.1-1.no..> 16-Jan-2006 18:20 14K
fetch-crl-2.5.1-1.sr..> 16-Jan-2006 18:20 14K
![[ ]](/icons/compressed.gif)
fetch-crl-2.5.1.tar.gz 16-Jan-2006 18:20 11K
fetch-crl-2.5.tar.gz 16-Jan-2006 09:49 11K
fetch-crl-2.6.3-1.no..> 13-Nov-2006 12:52 15K
fetch-crl-2.6.3-1.sr..> 13-Nov-2006 12:52 16K
fetch-crl-2.6.3.tar.gz 13-Nov-2006 12:52 12K
fetch-crl-2.6.4-1.no..> 15-Aug-2007 10:26 15K
fetch-crl-2.6.4-1.sr..> 15-Aug-2007 10:26 16K
fetch-crl-2.6.4.tar.gz 15-Aug-2007 10:26 13K
fetch-crl-2.6.6-1.no..> 16-Sep-2007 14:51 16K
fetch-crl-2.6.6-1.sr..> 16-Sep-2007 14:51 16K
fetch-crl-2.6.6-2.no..> 25-Apr-2009 22:03 16K
fetch-crl-2.6.6-2.sr..> 25-Apr-2009 22:03 17K
fetch-crl-2.6.6.tar.gz 16-Sep-2007 14:51 13K
fetch-crl-2.7.0-1.no..> 03-Feb-2009 09:47 20K
fetch-crl-2.7.0-1.sr..> 29-Jan-2009 15:59 20K
fetch-crl-2.7.0-2.no..> 25-Apr-2009 21:55 20K
fetch-crl-2.7.0-2.sr..> 25-Apr-2009 21:55 20K
fetch-crl-2.7.0.tar.gz 29-Jan-2009 15:59 17K
fetch-crl-2.7.0.txt 30-Jan-2009 14:43 3.1K
fetch-crl-2.7.2-1.no..> 03-Mar-2010 22:24 21K
fetch-crl-2.7.2-1.sr..> 03-Mar-2010 22:23 21K
fetch-crl-2.7.2.tar.gz 03-Mar-2010 22:23 17K
fetch-crl-2.8.2-1.no..> 03-Mar-2010 22:38 23K
fetch-crl-2.8.2-1.sr..> 03-Mar-2010 22:38 24K
fetch-crl-2.8.2.tar.gz 03-Mar-2010 22:38 19K
fetch-crl-2.8.3-1.no..> 28-Mar-2010 10:57 23K
fetch-crl-2.8.3.tar.gz 28-Mar-2010 10:57 19K
fetch-crl-2.8.4-1.no..> 05-Apr-2010 19:11 23K
fetch-crl-2.8.4-1.sr..> 05-Apr-2010 19:11 25K
fetch-crl-2.8.4.tar.gz 05-Apr-2010 19:10 19K
fetch-crl-2.8.5-1.no..> 03-Jun-2010 11:19 23K
fetch-crl-2.8.5-1.sr..> 03-Jun-2010 11:19 25K
fetch-crl-2.8.5.tar.gz 03-Jun-2010 11:18 20K
fetch-crl-2.8.5.txt 03-Jun-2010 11:15 8.9K
![[DIR]](/icons/folder.gif)
headers/ 03-Jun-2010 11:20 -
repodata/ 28-Mar-2010 10:46 -
FETCH-CRL version 2.x
---------------------
This tool and associated cron entry ensure that Certificate Revocation
Lists (CRLs) are periodically retrieved from the web sites of the respective
Certification Authorities.
It assumes that the installed CA files follow the hash.crl_url convention.
Note that this version does not support having multiple CA with the
same subject name (since the hash .r0 files will collide)
Installation
------------
The default installation directory is "/usr". This can be changed with the
PREFIX variable setting to "make", like:
make install PREFIX=/opt/edg
Configuration
-------------
By default, the fetch-crl script will operate on the current working
directory, where it looks for ".crl_url" files and will write the
retrieved CRLs in the OpenSSL-compatible "<hash>.r0" filename
convention.
If the system configuration (RedHat-style) file "/etc/sysconfig/fetch-crl"
exists, settings may be supplied there:
CRLDIR={path}
directory of the CRL and crl_url files. It will set bot
the locationDirectory and the outputDirectory to the
specified path.
QUIET={yes|no}
suppress printing of information messages
SERVERCERTCHECK={yes|no}
ignore or bark on unrecognised web server certs on download
the default (since 2.6.1) is "no", i.e. ignore unrecognised
server certificates as the CRL itself is already signed
SYSLOGFACILITY={facility}
if set, messages and errors will also be written to syslog(3)
using the logger(1) programme. Informational messages will
go in at severity DEBUG, errors at severity ERR.
(if left unset, syslog will not be used)
Usage
-----
Usage: fetch-crl [-h|--help]
fetch-crl [-l|--loc <locationDirectory>]
[-o|--out <outputDirectory>] [-q|--quiet]
[-a|--agingtolerance <hours>]
Options:
-h|--help show this help
-l|--loc <locationDirectory>
The script will search this directory for files with the
suffix '.crl_url'. It is supposed that each one of these
files contains the URL of a Certificate Revocation List (CRL)
for a Certification Authority. This URL is of the form
http://www.myhost.com/myCRL.
Note: the CRL files to download must be in either PEM or
DER format.
For validity checking of the CA certificates, this script
assumes that the certificates of the CAs are found also
in this directory.
Default: output directory (see below)
-o|--out <outputDirectory>
directory where to put the downloaded and processed CRLs.
The directory to be used as argument for this option
is typically /etc/grid-security/certificates
Default: current working directory
-a|--agingtolerance hours
The maximum age of the locally downloaded CRL before download
failures trigger actual error messages. This error message sup-
pression mechanism only works if the crl_url files are named
after the hash of the CRL issuer name, a stat(1) command is
installed, and a CRL has already been downloaded at least once.
-q|--quiet
Quiet mode (do not print information messages)
-n|--no-check-certificate
Do not check the server certificate when downloading CRLs. This
is the default.
--check-server-certificate
Reverse: do ccheck server certificate when downloading CRLs.
-f|--syslog-facility facility
Also log messages and errors to syslog facility <fac>
Messages are logged at level DEBUG, errors at level ERR.
Defaults can be set in the fetch-crl system configuration file
/etc/sysconfig/fetch-crl (resettable via the FETCH_CRL_SYSCONFIG environment
variable, see manual for details).
Origin
------
The original version of edg-fetch-crl was written by
# Author: Fabio Hernandez #
# fabio@in2p3.fr #
# IN2P3 Computer Center #
# http://www.in2p3.fr/CC #
# Lyon (FRANCE) #
as part of the datagrid project (see http://www.edg.org/)
It is governed by the EU DataGrid open source license.