Index of /distribution/util/fetch-crl

Icon  Name                    Last modified      Size  Description
[DIR] Parent Directory                             -   
[   ] VERSION-2.6.6.-IS-CU..> 16-Sep-2007 22:37    0   
[   ] fetch-crl-2.5.1-1.no..> 17-Jan-2006 02:20   14K  
[   ] fetch-crl-2.5.1-1.sr..> 17-Jan-2006 02:20   14K  
[   ] fetch-crl-2.5.1.tar.gz  17-Jan-2006 02:20   11K  
[   ] fetch-crl-2.5.tar.gz    16-Jan-2006 17:49   11K  
[   ] fetch-crl-2.6.3-1.no..> 13-Nov-2006 20:52   15K  
[   ] fetch-crl-2.6.3-1.sr..> 13-Nov-2006 20:52   16K  
[   ] fetch-crl-2.6.3.tar.gz  13-Nov-2006 20:52   12K  
[   ] fetch-crl-2.6.4-1.no..> 15-Aug-2007 17:26   15K  
[   ] fetch-crl-2.6.4-1.sr..> 15-Aug-2007 17:26   16K  
[   ] fetch-crl-2.6.4.tar.gz  15-Aug-2007 17:26   13K  
[   ] fetch-crl-2.6.6-1.no..> 16-Sep-2007 21:51   16K  
[   ] fetch-crl-2.6.6-1.sr..> 16-Sep-2007 21:51   16K  
[   ] fetch-crl-2.6.6.tar.gz  16-Sep-2007 21:51   13K  

FETCH-CRL version 2.x
---------------------
This tool and associated cron entry ensure that Certificate Revocation 
Lists (CRLs) are periodically retrieved from the web sites of the respective 
Certification Authorities.
It assumes that the installed CA files follow the hash.crl_url convention.

Note that this version does not support having multiple CA with the
same subject name (since the hash .r0 files will collide)


Installation
------------
The default installation directory is "/usr". This can be changed with the
PREFIX variable setting to "make", like:

	make install PREFIX=/opt/edg


Configuration
-------------

By default, the fetch-crl script will operate on the current working 
directory, where it looks for ".crl_url" files and will write the
retrieved CRLs in the OpenSSL-compatible "<hash>.r0" filename
convention.
If the system configuration (RedHat-style) file "/etc/sysconfig/fetch-crl"
exists, settings may be supplied there:

	CRLDIR={path}
		directory of the CRL and crl_url files. It will set bot 
		the locationDirectory and the outputDirectory to the 
		specified path.

	QUIET={yes|no}
		suppress printing of information messages

	SERVERCERTCHECK={yes|no}
		ignore or bark on unrecognised web server certs on download
		the default (since 2.6.1) is "no", i.e. ignore unrecognised
		server certificates as the CRL itself is already signed

	SYSLOGFACILITY={facility}
		if set, messages and errors will also be written to syslog(3)
		using the logger(1) programme. Informational messages will
		go in at severity DEBUG, errors at severity ERR.
		(if left unset, syslog will not be used)


Usage
-----

Usage: fetch-crl [-h|--help]
       fetch-crl [-l|--loc <locationDirectory>]
                     [-o|--out <outputDirectory>] [-q|--quiet]
                     [-a|--agingtolerance <hours>]

   Options:

      -h|--help show this help

      -l|--loc  <locationDirectory>
                The script will search this directory for files with the
                suffix '.crl_url'. It is supposed that each one of these
                files contains the URL of a Certificate Revocation List (CRL)
                for a Certification Authority. This URL is of the form
                http://www.myhost.com/myCRL.
                Note: the CRL files to download must be in either PEM or
                      DER format.
                For validity checking of the CA certificates, this script
                assumes that the certificates of the CAs are found also
                in this directory.
                Default: output directory (see below)

      -o|--out  <outputDirectory>
                directory where to put the downloaded and processed CRLs.
                The directory to be used as argument for this option
                is typically /etc/grid-security/certificates
                Default: current working directory

      -a|--agingtolerance hours
              The  maximum  age  of the locally downloaded CRL before download
              failures trigger actual error messages. This error message  sup-
              pression  mechanism  only  works  if the crl_url files are named
              after the hash of the CRL issuer  name,  a  stat(1)  command  is
              installed,  and a CRL has already been downloaded at least once.


      -q|--quiet
                Quiet mode (do not print information messages)

      -n|--no-check-certificate
                Do not check the server certificate when downloading CRLs.  This
                is the default.
      --check-server-certificate
                Reverse: do ccheck server certificate when downloading CRLs.

      -f|--syslog-facility facility
                Also log messages and errors to syslog facility <fac>
                Messages are logged at level DEBUG, errors at level ERR.

   Defaults can be set in the fetch-crl system configuration file
   /etc/sysconfig/fetch-crl (resettable via the FETCH_CRL_SYSCONFIG environment
   variable, see manual for details).


Origin
------
The original version of edg-fetch-crl was written by
# Author:      Fabio Hernandez                                                #
#              fabio@in2p3.fr                                                 #
#              IN2P3 Computer Center                                          #
#              http://www.in2p3.fr/CC                                         #
#              Lyon (FRANCE)                                                  #
as part of the datagrid project (see http://www.edg.org/) 
It is governed by the EU DataGrid open source license.