Difference between revisions of "FetchCRL3"
From PDP/Grid Wiki
Jump to navigationJump to searchm |
m |
||
| Line 4: | Line 4: | ||
; version : set the fetch-crl version number, e.g., used in the User-Agent header for HTTP requests. | ; version : set the fetch-crl version number, e.g., used in the User-Agent header for HTTP requests. | ||
| − | + | ;; Default: 3.0 | |
; packager : override the packager of this distribution | ; packager : override the packager of this distribution | ||
| − | + | ;; Default: EUGridPMA | |
== Trust Anchor sections == | == Trust Anchor sections == | ||
Revision as of 21:27, 8 June 2010
Configuration options
General section
- version
- set the fetch-crl version number, e.g., used in the User-Agent header for HTTP requests.
- Default
- 3.0
- packager
- override the packager of this distribution
- Default
- EUGridPMA
Trust Anchor sections
A trust anchor section must be named after the 'alias' of the trust anchor. In case a .info meta-data file is used, the alias is defined in this meta-data file. In case a crl_url file is used to load the URLs, the alias will be set to the basename of the crl_url file, without the ".crl_url" suffix.
- crl_url.i
- override the list of CRL download URLs for this trust anchor by the URL(s) given in this list. The list of URLs is on a single line, with URLs separated by semi-colons (";").
- agingtolerance, httptimeout, nametemplate_der, nametemplate_pem, cadir, catemplate, statedir
- override the global defaults for this trust anchor. This override takes precendence overglobal configuration settings as well as over command-line supplied settings!
- (no)prepend_url, (no)postpend_url, (no)warnings, (no)errors, (no)http_proxy
- override global default, with options that are revertible, so "nopostpend_url" will prevent the default postpend_url from being used for this trust anchor. "nohttp_proxy" will prevents the HTTP proxy from being used to download CRLs for this trust anchor.
- proctimeout
- override the over-all timeout for the duration of the CRLs installation process for this trust anchor.
As always, the "@R@", "@ALIAS", and "@ANCHORNAME@" tokens are expended in URLs.
Example:
[alias] agingtolerance = 168 noerrors nowarnings crl_url.1 = file:///usr/local/etc/extracrl.pem
Known issues
- although fetch-crl3 will install multiple CRLs in the CRl stores (called ".r0", ".r1", or labelled appropriately in an NSS store), if the number of CRLs decreases the left-overs are not automatically removed. So if the number of CRLs for a particular CA does down from n to n-1, the file ".rn" must be removed manually.
- NSS CRL database support is currently not implemented
- Overall process fimeouts (proctimeout) is currently not implemented
