Man Linux: Main Page and Category List


       fetch-crl - retrieve certificate revocation lists


       fetch-crl [-l locationDirectory] [-o outputDirectory] [-a agingTolerance] [-q]


       fetch-crl  retrieves  certificate  revocation lists (CRLs). CRLs can be
       retrieved from web sites using the HTTP or HTTPS protocols and  can  be
       in either PEM or DER encoded form. The URLs for the CRL download are to
       be found in  files  named  hash.r0  and  should  accompany  a  CA  root
       certificate   with   the   same  hash.  Retrieving  a  CRL  without  an
       accompanying CA root certificate will result in a verification failure.


       -h --help
              Show help text.

       -l --loc locationDirectory
              The  script will search this directory for files with the suffix
              '.crl_url'. It is supposed that each one of these files contains
              the   URL   of   a  Certificate  Revocation  List  (CRL)  for  a
              Certification   Authority.   This   URL   is   of    the    form
       Note:  the  CRL files to download
              must be in either PEM or DER format.

              For validity  checking  of  the  CA  certificates,  this  script
              assumes  that the certificates of the CAs are found also in this

              Default: output directory (see below)

       -o --out outputDirectory
              Directory where to put the downloaded and processed  CRLs.   The
              directory  to  be  used as argument for this option is typically

              Default: current working directory

       -a --agingtolerance hours
              The maximum age of the locally downloaded  CRL  before  download
              failures  trigger  actual  error  messages.  This  error message
              suppression mechanism only works if the crl_url files are  named
              after  the  hash  of  the  CRL issuer name, a stat(1) command is
              installed, and a CRL has already been downloaded at least  once.

              Default: no aging tolerance

       -q --quiet
              Quiet mode (do not print information messages)

       -n, --no-check-certificate
              Do  not  check the server certificate when retrieving URLs. (see
              also: SERVERCERTCHECK=no in /etc/fetch-crl.conf.


       Defaults  can  be  set  in  the  fetch-crl  system  configuration  file
       /etc/fetch-crl.conf,  using  the  CRLDIR  and QUIET directives.  If you
       want a specific  version  of  OpenSSL  to  be  used  by  fetch-crl  for
       converting  and  validating CRLs, set the FETCH_CRL_OPENSSL environment
       variable  (via  /etc/fetch-crl.conf).   For  historical   reasons,   if
       /etc/fetch-crl.conf  does not exist, but /etc/sysconfig/fetch-crl does,
       the latter file is read instead.

       The script will try to use the latest version of OpenSSL  to  be  found
       anywhere  in  your  path  or  in  /usr/bin  , /usr/local/bin (or in the
       $GLOBUS_LOCATION/bin directory when  available).   Use  of  the  latest
       version of OpenSSL is strongly encouraged.

       The  fetch-crl  script  should  preferably be run from cron(8) at least
       once every day. See  /usr/share/doc/fetch-crl-version  for  en  example
       cron job to install.

       Other configuration variables recognised in /etc/fetch-crl.conf:

              Number  of attempts of wget to obtain the CRL from the specified

       WGET_TIMEOUT seconds
              Number of seconds to wait for each stage of the http GET request
              (i.e.   seconds  sec  for DNS resolving, and the same amount for
              downloading, etc.)

       SERVERCERTCHECK {yes,no}
              When set to "no", the check of the server  certificate  validity
              is suppressed (applies to wget version 1.10 and higher only).

       WGET_OPTS options
              Additional   command-line   arguments   to   be  passed  to  the
              invocations of wget.

       LOGFILE filename
              In addition to all other message output mechanisms, also  append
              generated messages to the file filename

              Only  complain  about failed CRL download if the download failed
              persistently for more than hours consecutive hours,  or  if  the
              current  time  is  past  the advertised nextUpdate time for this




       Exit status is normally 0; if an error occurs, exit  status  is  1  and
       diagnostics will be written to standard error.


       The fetch-crl program cannot handle CRLs for multiple certificates with
       the same hash value.