Configuration options

General section

Trust Anchor sections

A trust anchor section must be named after the 'alias' of the trust anchor. In case a .info meta-data file is used, the alias is defined in this meta-data file. In case a crl_url file is used to load the URLs, the alias will be set to the basename of the crl_url file, without the ".crl_url" suffix.

crl_url.i

override the list of CRL download URLs for this trust anchor by the URL(s) given in this list. The list of URLs is on a single line, with URLs separated by semi-colons (";").

agingtolerance httptimeout nametemplate_der nametemplate_pem cadir catemplate statedir

override the global defaults for this trust anchor. This override takes precendence overglobal configuration settings as well as over command-line supplied settings!

(no)prepend_url (no)postpend_url (no)warnings (no)errors (no)http_proxy

override global default, with options that are revertible, so "nopostpend_url" will prevent the default postpend_url from being used for this trust anchor. "nohttp_proxy" will prevents the HTTP proxy from being used to download CRLs for this trust anchor.

proctimeout

override the over-all timeout for the duration of the CRLs installation process for this trust anchor.

As always, the "@R@", "@ALIAS", and "@ANCHORNAME@" tokens are expended in URLs.

Example:

[alias]
agingtolerance = 168
noerrors
nowarnings 
crl_url.1 = file:///usr/local/etc/extracrl.pem

Known issues

• although fetch-crl3 will install multiple CRLs in the CRl stores (called ".r0", ".r1", or labelled appropriately in an NSS store), if the number of CRLs decreases the left-overs are not automatically removed. So if the number of CRLs for a particular CA does down from n to n-1, the file ".rn" must be removed manually.
• NSS CRL database support is currently not implemented
• Overall process fimeouts (proctimeout) is currently not implemented