# # EXAMPLE configuration file for Fetch-crl3 # @(#)$Id$ # # configuration file fetch-crl3 # use SEMICOLON (;) or \001 (^A) as list separators in values # # --------------------------------------------------------------------------- # infoset set the location where the meta-data files (.info or .crl_url) # are help by default. All trust anchors listed there are processes, so # to suppress this behaviour set this to the empty value "" # # infodir = /etc/grid-security/certificates # # --------------------------------------------------------------------------- # cadir sets the location where the trust anchors themselves are found, as # PEM files, to be used in the CRL verification by openssl. They are usually # names after the trust anchor proper name ("alias.0"), or after the filename # of the trust anchor, the basename of the meta-data file name ("hash.0"). # It defaults to infodir # # cadir = /etc/grid-security/certificates # # --------------------------------------------------------------------------- # output sets the location where the retrieved CRLs are written by default. # It can be overridden on a per-output-format basis by setting the # "output_" options. It should point to a directory (even for the # NSS output format. It defaults to infodir # # output = /etc/grid-security/certificates # # --------------------------------------------------------------------------- # statedir points to the directory where per-CRL state files are kept. These # state files record the retrieval time, last-retrieved (modification) time, # best-before date and the (cached) content of the CRL. For the purposes of # the CRL state, all CRL URLs for a particular trust anchor index are # considered equal. # If it is unset, no state is preserved, but the last-retrieved time is # guessed from the modification time. If statedir does not exist, or is # not writable, it is not used but silently ignored. Writeability is # determined by perl's "-w" test. # It defaults to /var/cache/fetch-crl # # statedir = /var/cache/fetch-crl # # --------------------------------------------------------------------------- # formats lists one or more ways to write out the CRL to the output # directories. It can be one or more of "openssl", "der", "pem", or "nss" # in a comma-separated list. # * the "openssl" format writes out "hash.rX" files, with being the # first 4 bytes of the digest of the subject DN, and "X" a sequence number # of the CRL starting at 0 (".r0"). When used with OpenSSL version 1.0.0 # or above, it can write out the CRL with two possible hash algorithms at # the same time: the 'old' MD5 of the binary subject DN representation, or # the 'new' SHA1 based digest of the canonical representation. Whether # one or two hashes are written is determined by the "opensslmode" option. # * "pem" writes out the CRL in PEM (RFC1421) format, to the file named # after the "nametemplate_pem" setting (default: @ANCHORNAME@.@R@.crl.pem) # in the output or output_pem directory # * "der" does the same in DER binary format, to a file names # after the "nametemplate_der" setting (default: @ANCHORNAME@.@R@.crl) # in the output or output_der directory # * "nss" adds (or replaces) the named CRL in the NSS database in # /cert8.db, using the Mozilla crlutil tool # # formats = openssl # # --------------------------------------------------------------------------- # specialised output directories # # output_pem = /etc/pki/tls/certs # output_der = /var/tmp # output_nss = /etc/pki/nssdb # # --------------------------------------------------------------------------- # name templates are used to construct the file name of a CRL for installation # based on the meta-data of the CA. It uses token replacement to construct # a specific and unique filename. The tokens recognised are the same as those # of the pre- and postpend URLs: # @ANCHORNAME@ base name of the trust anchor meta-data file name # @ALIAS@ alias name of the trust anchor from the info file (defaults # to the @ANCHORNAME@) # @R@ the sequence number of the CRL for this trust anchor # # nametemplate_der = @ANCHORNAME@.@R@.crl # nametemplate_pem = @ANCHORNAME@.@R@.crl.pem # # --------------------------------------------------------------------------- # catemplate has a (list of) potential names of the certificate of the # trust anchor -- it is used to find the CA data for verifying the # retrieved CRLs. Even if you only use NSS databases, you need a directory # with PEM formatted certificates of the issuing CAs. # # catemplate = @ALIAS@.pem; @ALIAS@.@R@; @ANCHORNAME@.@R@ # # --------------------------------------------------------------------------- # opensslmode is used if the openssl format for output is specified and also # OpenSSL version 1.0.0 or higher are used. If so, you can have the CRL data # be written out twice, once with the 'old' and once with the 'new' hash style # Default is dual mode, so if OpenSSL 1.x is present, by default TWO files # are written # # opensslmode = dual # opensslmode = single # # --------------------------------------------------------------------------- # nonssverify disables the checking of imported CRLs into an NSS database. # so that you can create a database withonly CRLs, and no CAs. It passes the # "-B" option to the crlutil tool # # nonssverify # # --------------------------------------------------------------------------- # wait up to seconds before doing anything at all # useful for randoming the start time and download from cron across the world # # randomwait = 0 # # --------------------------------------------------------------------------- # logmode defined how the log and error messages are written out: # direct - print them immediately, only the message # qualified - print immediately, but prexif it with the message type # "WARN", "ERROR", "VERBOSE(x)", or "DEBUG(x)" # cache - save messages and dump them all at once at the end # syslog - write the message to system with a decent severity level # using facility (default: daemon) # # logmode = qualified # # --------------------------------------------------------------------------- # wait at most seconds for the retrieval of a data blob # from a remote URL (http, https, or ftp). The timeout covers the whole # retrieval process, incliding DNS resolution. Default is 120 seconds. # # httptimeout = 30 # # --------------------------------------------------------------------------- # httpproxy sets the url for the HTTP proxy to use (in perl LWP style). Or # use ENV to pick up the settings from the environment # # http_proxy = http://localhost:8001/ # # --------------------------------------------------------------------------- # nowarnings suppresses the pritning and logging or any and all warnings (but # not errors or verbose messages) # # nowarnings # # --------------------------------------------------------------------------- # noerrors suppresses the pritning and logging or any and all errors (but # not warnings or verbose messages) # # noerrors # # --------------------------------------------------------------------------- # agingtolerance sets the time in hours before retrieval warnings become # errors for a CRL retrieval. If you also suppress warnings, you will # prevent any annoying messages for a trust anchor for up to hours. # The IGTF currently recommends an aging tolerance of 24 hours, to allow # for network disruptions and connectivity problems. # # agingtolerance = 24 # # --------------------------------------------------------------------------- # prepend_url URLs are tried first before using any URLs form the crl_url # file or the .info crl_url (crl_url.0) fields # # prepend_url = file:///share/grid-security/certificates/@ALIAS@.r@R@ # # --------------------------------------------------------------------------- # postpend_url URLs are tried last, only if all URLs form the crl_url file # or the .info crl_url (crl_url.0) fields have already failed or timed out # # postpend_url = http://dist.eugridpma.info/certificates/@ANCHORNAME@.r@R@ # # --------------------------------------------------------------------------- # path to openssl version to use # openssl = /usr/bin/openssl # # --------------------------------------------------------------------------- # path to use to find utilities like OpenSSL or crlutil. Default leaves it # unmodified # # path = /bin:/usr/bin:/usr/ucb # # --------------------------------------------------------------------------- # settings "backups" will trigger the generation of backup files (~ files) # when writing CRLs to an output destination. # # backups # # --------------------------------------------------------------------------- # stateless supresses any use of the state directory, even if it exists and # is writable # # stateless # # --------------------------------------------------------------------------- # override version or packager to influence the User-Agent header in http # requests. But please leave them alone # version = 3.0 # packager = EUGridPMA # =========================================================================== # PER TRUST ANCHOR OVERRIDES # =========================================================================== # # many settings can be overrules in a per-trust anchor section of the # configuration file. For each trust anchor, only a SINGLE override # section will be used. If a section names after the @ALIAS@ exists, # it will take precedence over any section named after @ANCHORNAME@. # # To have a section work with either ".info" or ".crl_url" files, name it # after the @ANCHORNAME@, since that one will be the same for both. # Example: the DutchGrid CA "NIKHEF" can be either [NIKHEF] or [16da7552] # (the latter is the commonly used file name), but using [16da7552] will # result in the section being recognised in both cases # # [16da7552] # --------------------------------------------------------------------------- # agingtolerance for this trust anchor specifically. Use it if the retrieval # for this CA is unreliable. # # agingtolerance = 12 # # --------------------------------------------------------------------------- # replace the list of CRL URLs for this CA and this CRL sequence number # by a completely new set. E.g. from a different place, or a local # cache, or ... # # crl_url.0 = http://ca.dutchgrid.nl/medium/cacrl.pem; file:///etc/grid-security/certificates/16da7552.r0 # # --------------------------------------------------------------------------- # To never hear of this CA again, suppress both errors and warnings: #noerrors #nowarnings # # --------------------------------------------------------------------------- # You can also (un) set the following on a per-trust anchor basis: # # (no)prepend_url (no)postpend_url (no)http_proxy (no)statedir -- # either remove a global setting, or put in a new setting with value # # (no)warnings (no)noerrors (no)nocache -- # override a global setting (no value possible) # # agingtolerance httptimeout nametemplate_der nametemplate_pem # cadir catemplate # set these to a local value (but they cannot be unset) # # # Share and enjoy -- and remember that up to 7 verbosity levels are # significant :-) "-vvvvvvvv" is a useful option ... # #