fetch-crl - retrieve certificate revocation lists
fetch-crl [-l locationDirectory] [-o outputDirectory] [-a agingTolerance] [-q]
fetch-crl retrieves certificate revocation lists (CRLs). CRLs can be
retrieved from web sites using the HTTP or HTTPS protocols and can be
in either PEM or DER encoded form. The URLs for the CRL download are to
be found in files named hash.r0 and should accompany a CA root
certificate with the same hash. Retrieving a CRL without an
accompanying CA root certificate will result in a verification failure.
Show help text.
-l --loc locationDirectory
The script will search this directory for files with the suffix
'.crl_url'. It is supposed that each one of these files contains
the URL of a Certificate Revocation List (CRL) for a
Certification Authority. This URL is of the form
http://www.myhost.com/myCRL. Note: the CRL files to download
must be in either PEM or DER format.
For validity checking of the CA certificates, this script
assumes that the certificates of the CAs are found also in this
Default: output directory (see below)
-o --out outputDirectory
Directory where to put the downloaded and processed CRLs. The
directory to be used as argument for this option is typically
Default: current working directory
-a --agingtolerance hours
The maximum age of the locally downloaded CRL before download
failures trigger actual error messages. This error message
suppression mechanism only works if the crl_url files are named
after the hash of the CRL issuer name, a stat(1) command is
installed, and a CRL has already been downloaded at least once.
Default: no aging tolerance
Quiet mode (do not print information messages)
Do not check the server certificate when retrieving URLs. (see
also: SERVERCERTCHECK=no in /etc/fetch-crl.conf.
Defaults can be set in the fetch-crl system configuration file
/etc/fetch-crl.conf, using the CRLDIR and QUIET directives. If you
want a specific version of OpenSSL to be used by fetch-crl for
converting and validating CRLs, set the FETCH_CRL_OPENSSL environment
variable (via /etc/fetch-crl.conf). For historical reasons, if
/etc/fetch-crl.conf does not exist, but /etc/sysconfig/fetch-crl does,
the latter file is read instead.
The script will try to use the latest version of OpenSSL to be found
anywhere in your path or in /usr/bin , /usr/local/bin (or in the
$GLOBUS_LOCATION/bin directory when available). Use of the latest
version of OpenSSL is strongly encouraged.
The fetch-crl script should preferably be run from cron(8) at least
once every day. See /usr/share/doc/fetch-crl-version for en example
cron job to install.
Other configuration variables recognised in /etc/fetch-crl.conf:
Number of attempts of wget to obtain the CRL from the specified
Number of seconds to wait for each stage of the http GET request
(i.e. seconds sec for DNS resolving, and the same amount for
When set to "no", the check of the server certificate validity
is suppressed (applies to wget version 1.10 and higher only).
Additional command-line arguments to be passed to the
invocations of wget.
In addition to all other message output mechanisms, also append
generated messages to the file filename
Only complain about failed CRL download if the download failed
persistently for more than hours consecutive hours, or if the
current time is past the advertised nextUpdate time for this
Exit status is normally 0; if an error occurs, exit status is 1 and
diagnostics will be written to standard error.
The fetch-crl program cannot handle CRLs for multiple certificates with
the same hash value.