1FETCH-CRL(8)                System Manager's Manual               FETCH-CRL(8)
2
3
4

NAME

6       fetch-crl - retrieve certificate revocation lists
7

SYNOPSIS

9       fetch-crl   [-c config]  [-v[v..]]   [-q]  [-h]  [-l infopath]  [-o outputpath]
10       [-s statepath] [-a agingtolerance] [-T httptimeout] [-r randomwait]  [-p paral‐
11       lelism] [--formats openssl|pem|der|nss] ..
12

DESCRIPTION

14       The fetch-crl utility will retrieve certificate revocation lists (CRLs)
15       for a set of installed trust anchors, based on crl_url files  or  IGTF-
16       style  info  files.  It will install these for use with OpenSSL, NSS or
17       third-party tools.
18
19       It works based on a list of trust anchors, for each  of  which  one  or
20       more  CRLs  should  be  installed in a CRL store. And for each of these
21       CRLs, one or more URLs can be specified from which the specific CRL can
22       be retrieved.  There are several supported formats for CRL stores:
23
24       openssl
25              has  a directory in which hash.  i files are stored, one CRL per
26              file, and all CRLs for the trust anchors whose  subject  distin‐
27              guished name hashes to hash are read and evaluated for each cer‐
28              tificate issues by the CAs whose subject name hash matches hash
29
30              OpenSSL in version 1 changes its subject name hashing algorithm,
31              though,  so  that for one trust anchor two hashes could be used,
32              depending on the specific OpenSSL version at  hand.  If  OpenSSL
33              version 1 or higher is used by fetch-crl and the default mode is
34              used, each CRL is written out twice, once for each possible hash
35              value.  This  mode  in  controlled by the opensslmode = { dual |
36              single } configuration option in the configuration file.
37
38       pem    writes out the CRL in PEM (RFC 1421) format.
39
40       der    writes out the CRL in binary under distinguished encoding rules
41
42       nss    will use the crlutil from  the  Mozilla  NSS  tools  to  add  or
43              replace a CRL in the NSS cert8.db database.
44
45
46       Each  CRLs  can  be  retrieved from one of several URLs. These URLs are
47       listed by default in the trust anchor meta-data: the .info file or  the
48       .crl_url  file,  as shipped with the trust anchor. In the crl_url file,
49       there is one URL per line; in the .info file, the crl_url attribute  is
50       a semi-colon separated list of URLs. These URLs are then tried in order
51       to retrieve a fresh CRL. Once data  has  been  successfully  retrieved,
52       this  data  is  used  as  the  CRL if it passes verification, signature
53       checking and expiration checks. Http, https, ftp and file URLs are sup‐
54       ported.  If  data for a CRL has been downloaded but this data fails any
55       of the subsequent checks (signature  validation,  freshness),  the  CRL
56       data is discarded and NO further URLs are tried for this CRL!
57
58       URLs  can be pre-pended or post-pended to the default list via the con‐
59       figuration file. This can be used to prefer a local  mirror  repository
60       over any URLs shipped by the trust anchor provider, without the need to
61       modify the trust anchor metadata.  By  post-pending  a  URL,  a  'last-
62       resort'  download  location  can  be added in case the CA provided URLs
63       cannot be used. The pre- and post-pended  URLS  are  subject  to  token
64       expansion  of the tokens @ALIAS@, @ANCHORNAME@, and @R@, where R is the
65       sequence number of the CRL on a per-trust anchor basis.
66
67       Retrieved CRLs may be PEM (RFC1421) or DER encoded. They are  automati‐
68       cally  converted as needed by fetch-crl, using the OpenSSL command-line
69       tool.
70
71       Retrieving a CRL without having an accompanying CA root certificate  in
72       an  OpenSSL-accessible  form  (like  @ALIAS@.0 or @ANCHORNAME@.@R@ will
73       result in a verification failures. The CA lookup directory and patterns
74       can be configured via the configuration file
75
76

TOKEN EXPANSION

78       In paths and name templates, tokens are expanded to allow a single pat‐
79       tern to be used for all trust anchors. The nametemplate_*,  catemplate,
80       prepend_url,  and  postpend_url  configuration  settings are subject to
81       token expansion.
82
83       The following tokens are recognised
84
85       @ALIAS@
86              The alias name of the trust anchor as defined in the info  file.
87              If  there  is  no  info file and the meta-data is retrieved from
88              crl_url files, then the alias is set to the basename  (excluding
89              the .crl_url suffix) of the filename of the trust anchor.
90
91       @ANCHORNAME@
92              The file name of the trust anchor, without any .info or .url_crl
93              suffix.
94
95       @R@    The CRL sequence number, counting from 0. Note that  most  trust
96              anchors only have a single CRL, with sequence number "0".
97
98

OPTIONS

100       -h --help
101              Show help text.
102
103       -l --infodir metadata-directory
104              The  script will search this directory for files with the suffix
105              '.info' or '.crl_url'.  Note: the CRL files to download must  be
106              in either PEM or DER format.
107
108
109       -o --out outputDirectory
110              Directory  where  to put the downloaded and processed CRLs.  The
111              directory to be used as argument for this  option  is  typically
112              /etc/grid-security/certificates   Default:   infodir  (meta-data
113              directory)
114
115
116       -a --agingtolerance hours
117              The maximum age of the locally downloaded  CRL  before  download
118              failures  trigger actual error messages. This error message sup‐
119              pression mechanism only works if the CRL has been downloaded  at
120              least once and either the crl_url files are named after the hash
121              of the CRL issuer name, or a state directory is used to preserve
122              state across invocations.
123
124              Default: 24 hour aging tolerance
125
126       -q --quiet
127              Quiet mode (do not print information messages)
128
129
130       -r --randomwait s
131              Wait up to s seconds before starting the retrieval process(es).
132
133
134       -p --parallelism n
135              Do  the retrieval for several trust anchors in parallel, with up
136              to n processes doing retrievals. At most  n  downloads  will  be
137              active  at any one time. Multiple CRLs for the same trust anchor
138              are still downloaded sequentially.
139
140

CONFIGURATION

142       Please see http://www.nikhef.nl/grid/gridwiki/index.php/FetchCRL3 for a
143       description  of  the  configuation options. The default location of the
144       configuration file is /etc/fetch-crl.conf.
145
146

NOTES

148       Defaults  can  be  set  in  the  fetch-crl  system  configuration  file
149       /etc/fetch-crl.conf.
150
151

SEE ALSO

153       openssl(1), http://www.nikhef.nl/grid/gridwiki/index.php/FetchCRL3
154
155

DIAGNOSTICS

157       Exit  status  is  normally  0; if an error occurs, exit status is 1 and
158       diagnostics will be written to standard error.
159
160

LICENSE

162       Licensed under the Apache License, Version 2.0 (the "License");
163
164       http://www.apache.org/licenses/LICENSE-2.0
165
166

BUGS

168       Although fetch-crl3 will  install  multiple  CRLs  in  the  CRL  stores
169       (called  '.r0',  '.r1',  or labelled appropriately in an NSS store), if
170       the number of CRLs  decreases  the  left-overs  are  not  automatically
171       removed.  So if the number of CRLs for a particular CA does down from n
172       to n-1, the file '.rn' must be removed manually.
173
174
175
176
177Trust Anchor Utilities               local                        FETCH-CRL(8)
Impressum