Difference between revisions of "FetchCRL3"
From PDP/Grid Wiki
Jump to navigationJump to searchm |
m |
||
| Line 4: | Line 4: | ||
; version : set the fetch-crl version number, e.g., used in the User-Agent header for HTTP requests. | ; version : set the fetch-crl version number, e.g., used in the User-Agent header for HTTP requests. | ||
| − | + | : Default: 3.0 | |
| + | : | ||
; packager : override the packager of this distribution | ; packager : override the packager of this distribution | ||
| − | ;; Default: | + | : Default: EUGridPMA |
| + | : | ||
| + | ; infodir : directory containing the meta-data (".info") or crl_url files | ||
| + | : Default: /etc/grid-security/certificates | ||
| + | : | ||
| + | ; cadir : directory containing the trust anchors against which retrieved CLRs will be verified | ||
| + | : Default: set to ''infodir'' | ||
| + | : | ||
| + | ; output : directory where the resulting CRLs will be written, unless a format-specific destination is specified | ||
| + | : Default: set to ''infodir'' | ||
| + | : | ||
| + | ; statedir : directory where the state-and-cache file for each CRL is kept. If this directory is not set or does not exist, no state is kept. See the section on Stateful retrieval for more information | ||
| + | : Default: set to /var/cache/fetch-crl if this directory exists, undefined otherwise | ||
| + | : | ||
| + | ; formats : output formats in which the CRLs will be installed. One or more of "openssl", "der", "pem", and/or "nss" | ||
| + | ; Default: openssl | ||
| + | : | ||
| + | ; openssl : location of the OpenSSL binary to use | ||
| + | : Default: openssl (uses path to resolve) | ||
| + | : | ||
| + | ; opensslmode : use only the default hash (''single'') or also the pre-1.0 hash (''dual'') of the subject name for CRLs written with for use with OpenSSL 1.0 and up. Is only used in base the OpenSSL binary is version 1.0.0 or later. | ||
| + | : Default: dual | ||
| + | : | ||
| + | ; path : executable search path ($PATH) | ||
| + | : Default: unchanged from invocation | ||
| + | : | ||
| + | ; randomwait : wait up to ''x'' seconds before commencing the retrieval process | ||
| + | : Default: unset | ||
| + | : | ||
| + | ; httptimeout : maximum time spent in a single HTTP request (HEAD or GET) in seconds | ||
| + | : Default: 120 | ||
| + | : | ||
== Trust Anchor sections == | == Trust Anchor sections == | ||
| Line 20: | Line 52: | ||
Example: | Example: | ||
| − | [ | + | [EDG-Tutorial-CA] |
agingtolerance = 168 | agingtolerance = 168 | ||
noerrors | noerrors | ||
Revision as of 19:45, 8 June 2010
Configuration options
General section
- version
- set the fetch-crl version number, e.g., used in the User-Agent header for HTTP requests.
- Default: 3.0
- packager
- override the packager of this distribution
- Default: EUGridPMA
- infodir
- directory containing the meta-data (".info") or crl_url files
- Default: /etc/grid-security/certificates
- cadir
- directory containing the trust anchors against which retrieved CLRs will be verified
- Default: set to infodir
- output
- directory where the resulting CRLs will be written, unless a format-specific destination is specified
- Default: set to infodir
- statedir
- directory where the state-and-cache file for each CRL is kept. If this directory is not set or does not exist, no state is kept. See the section on Stateful retrieval for more information
- Default: set to /var/cache/fetch-crl if this directory exists, undefined otherwise
- formats
- output formats in which the CRLs will be installed. One or more of "openssl", "der", "pem", and/or "nss"
- Default
- openssl
- openssl
- location of the OpenSSL binary to use
- Default: openssl (uses path to resolve)
- opensslmode
- use only the default hash (single) or also the pre-1.0 hash (dual) of the subject name for CRLs written with for use with OpenSSL 1.0 and up. Is only used in base the OpenSSL binary is version 1.0.0 or later.
- Default: dual
- path
- executable search path ($PATH)
- Default: unchanged from invocation
- randomwait
- wait up to x seconds before commencing the retrieval process
- Default: unset
- httptimeout
- maximum time spent in a single HTTP request (HEAD or GET) in seconds
- Default: 120
Trust Anchor sections
A trust anchor section must be named after the 'alias' of the trust anchor. In case a .info meta-data file is used, the alias is defined in this meta-data file. In case a crl_url file is used to load the URLs, the alias will be set to the basename of the crl_url file, without the ".crl_url" suffix.
- crl_url.i
- override the list of CRL download URLs for this trust anchor by the URL(s) given in this list. The list of URLs is on a single line, with URLs separated by semi-colons (";").
- agingtolerance, httptimeout, nametemplate_der, nametemplate_pem, cadir, catemplate, statedir
- override the global defaults for this trust anchor. This override takes precendence overglobal configuration settings as well as over command-line supplied settings!
- (no)prepend_url, (no)postpend_url, (no)warnings, (no)errors, (no)http_proxy
- override global default, with options that are revertible, so "nopostpend_url" will prevent the default postpend_url from being used for this trust anchor. "nohttp_proxy" will prevents the HTTP proxy from being used to download CRLs for this trust anchor.
- proctimeout
- override the over-all timeout for the duration of the CRLs installation process for this trust anchor.
As always, the "@R@", "@ALIAS", and "@ANCHORNAME@" tokens are expended in URLs.
Example:
[EDG-Tutorial-CA] agingtolerance = 168 noerrors nowarnings crl_url.1 = file:///usr/local/etc/extracrl.pem
Known issues
- although fetch-crl3 will install multiple CRLs in the CRl stores (called ".r0", ".r1", or labelled appropriately in an NSS store), if the number of CRLs decreases the left-overs are not automatically removed. So if the number of CRLs for a particular CA does down from n to n-1, the file ".rn" must be removed manually.
- NSS CRL database support is currently not implemented
- Overall process fimeouts (proctimeout) is currently not implemented
