Configuration options

General section

version

set the fetch-crl version number, e.g., used in the User-Agent header for HTTP requests.

Default: 3.0

packager

override the packager of this distribution

Default: EUGridPMA

infodir

directory containing the meta-data (".info") or crl_url files

Default: /etc/grid-security/certificates

cadir

directory containing the trust anchors against which retrieved CLRs will be verified

Default: set to infodir

output

directory where the resulting CRLs will be written, unless a format-specific destination is specified

Default: set to infodir

statedir

directory where the state-and-cache file for each CRL is kept. If this directory is not set or does not exist, no state is kept. See the section on Stateful retrieval for more information

Default: set to /var/cache/fetch-crl if this directory exists, undefined otherwise

formats

output formats in which the CRLs will be installed. One or more of "openssl", "der", "pem", and/or "nss"

Default

openssl

openssl

location of the OpenSSL binary to use

Default: openssl (uses path to resolve)

opensslmode

use only the default hash (single) or also the pre-1.0 hash (dual) of the subject name for CRLs written with for use with OpenSSL 1.0 and up. Is only used in base the OpenSSL binary is version 1.0.0 or later.

Default: dual

path

executable search path ($PATH)

Default: unchanged from invocation

randomwait

wait up to x seconds before commencing the retrieval process

Default: unset

httptimeout

maximum time spent in a single HTTP request (HEAD or GET) in seconds

Default: 120

Trust Anchor sections

A trust anchor section must be named after the 'alias' of the trust anchor. In case a .info meta-data file is used, the alias is defined in this meta-data file. In case a crl_url file is used to load the URLs, the alias will be set to the basename of the crl_url file, without the ".crl_url" suffix.

crl_url.i

override the list of CRL download URLs for this trust anchor by the URL(s) given in this list. The list of URLs is on a single line, with URLs separated by semi-colons (";").

agingtolerance, httptimeout, nametemplate_der, nametemplate_pem, cadir, catemplate, statedir

override the global defaults for this trust anchor. This override takes precendence overglobal configuration settings as well as over command-line supplied settings!

(no)prepend_url, (no)postpend_url, (no)warnings, (no)errors, (no)http_proxy

override global default, with options that are revertible, so "nopostpend_url" will prevent the default postpend_url from being used for this trust anchor. "nohttp_proxy" will prevents the HTTP proxy from being used to download CRLs for this trust anchor.

proctimeout

override the over-all timeout for the duration of the CRLs installation process for this trust anchor.

As always, the "@R@", "@ALIAS", and "@ANCHORNAME@" tokens are expended in URLs.

Example:

[EDG-Tutorial-CA]
agingtolerance = 168
noerrors
nowarnings 
crl_url.1 = file:///usr/local/etc/extracrl.pem

Known issues

• although fetch-crl3 will install multiple CRLs in the CRl stores (called ".r0", ".r1", or labelled appropriately in an NSS store), if the number of CRLs decreases the left-overs are not automatically removed. So if the number of CRLs for a particular CA does down from n to n-1, the file ".rn" must be removed manually.
• NSS CRL database support is currently not implemented
• Overall process fimeouts (proctimeout) is currently not implemented