Provided by: fetch-crl_3.0.22-2_all 
NAME
fetch-crl - retrieve certificate revocation lists
SYNOPSIS
fetch-crl [-c config] [-v[v..]] [-q] [-h] [--inet6glue] [-l infopath] [-o outputpath] [-s statepath]
[-a agingtolerance] [-T httptimeout] [-r randomwait] [-p parallelism] [--formats openssl|pem|der|nss] ..
[--define key=value] .. [--cfgdir dirname]
DESCRIPTION
The fetch-crl utility will retrieve certificate revocation lists (CRLs) for a set of installed trust
anchors, based on crl_url files or IGTF-style info files. It will install these for use with OpenSSL, NSS
or third-party tools.
It works based on a list of trust anchors, for each of which one or more CRLs should be installed in a
CRL store. And for each of these CRLs, one or more URLs can be specified from which the specific CRL can
be retrieved. There are several supported formats for CRL stores:
openssl
has a directory in which hash. i files are stored, one CRL per file, and all CRLs for the trust
anchors whose subject distinguished name hashes to hash are read and evaluated for each
certificate issues by the CAs whose subject name hash matches hash
OpenSSL in version 1 changes its subject name hashing algorithm, though, so that for one trust
anchor two hashes could be used, depending on the specific OpenSSL version at hand. If OpenSSL
version 1 or higher is used by fetch-crl and the default mode is used, each CRL is written out
twice, once for each possible hash value. This mode in controlled by the opensslmode = { dual |
single } configuration option in the configuration file.
pem writes out the CRL in PEM (RFC 1421) format.
der writes out the CRL in binary under distinguished encoding rules
nss will use the crlutil from the Mozilla NSS tools to add or replace a CRL in the NSS cert8.db
database.
Each CRLs can be retrieved from one of several URLs. These URLs are listed by default in the trust anchor
meta-data: the .info file or the .crl_url file, as shipped with the trust anchor. In the crl_url file,
there is one URL per line; in the .info file, the crl_url attribute is a semi-colon separated list of
URLs. These URLs are then tried in order to retrieve a fresh CRL. Once data has been successfully
retrieved, this data is used as the CRL if it passes verification, signature checking and expiration
checks. Http, https, ftp and file URLs are supported. If data for a CRL has been downloaded but this data
fails any of the subsequent checks (signature validation, freshness), the CRL data is discarded and NO
further URLs are tried for this CRL!
URLs can be pre-pended or post-pended to the default list via the configuration file. This can be used to
prefer a local mirror repository over any URLs shipped by the trust anchor provider, without the need to
modify the trust anchor metadata. By post-pending a URL, a 'last-resort' download location can be added
in case the CA provided URLs cannot be used. The pre- and post-pended URLS are subject to token expansion
of the tokens @ALIAS@, @ANCHORNAME@, and @R@, where R is the sequence number of the CRL on a per-trust
anchor basis.
Retrieved CRLs may be PEM (RFC1421) or DER encoded. They are automatically converted as needed by fetch-
crl, using the OpenSSL command-line tool.
Retrieving a CRL without having an accompanying CA root certificate in an OpenSSL-accessible form (like
@ALIAS@.0 or @ANCHORNAME@.@R@ will result in a verification failures. The CA lookup directory and
patterns can be configured via the configuration file
TOKEN EXPANSION
In paths and name templates, tokens are expanded to allow a single pattern to be used for all trust
anchors. The nametemplate_*, catemplate, prepend_url, and postpend_url configuration settings are subject
to token expansion.
The following tokens are recognised
@ALIAS@
The alias name of the trust anchor as defined in the info file. If there is no info file and the
meta-data is retrieved from crl_url files, then the alias is set to the basename (excluding the
.crl_url suffix) of the filename of the trust anchor.
@ANCHORNAME@
The file name of the trust anchor, without any .info or .url_crl suffix.
@R@ The CRL sequence number, counting from 0. Note that most trust anchors only have a single CRL,
with sequence number "0".
OPTIONS
-h --help
Show help text.
-l --infodir metadata-directory
The script will search this directory for files with the suffix '.info' or '.crl_url'. Note: the
CRL files to download must be in either PEM or DER format.
-o --out outputDirectory
Directory where to put the downloaded and processed CRLs. The directory to be used as argument
for this option is typically /etc/grid-security/certificates Default: infodir (meta-data
directory)
-a --agingtolerance hours
The maximum age of the locally downloaded CRL before download failures trigger actual error
messages. This error message suppression mechanism only works if the CRL has been downloaded at
least once and either the crl_url files are named after the hash of the CRL issuer name, or a
state directory is used to preserve state across invocations.
Default: 24 hour aging tolerance
-q --quiet
Quiet mode (do not print information messages)
-r --randomwait s
Wait up to s seconds before starting the retrieval process(es).
-p --parallelism n
Do the retrieval for several trust anchors in parallel, with up to n processes doing retrievals.
At most n downloads will be active at any one time. Multiple CRLs for the same trust anchor are
still downloaded sequentially.
--inet6glue
Load the Net::INET6Glue module to enable IPv6 support in LWP.
--define key=value
Add definitions to the configuration at runtime. The key=value pair is appended to the main
section of the configuration, unless a colon is used in the key: then the part before the colon is
the config file section name, and the part thereafter the key inside that section. To merely set
a valueless option, set to to the null-string "".
CONFIGURATION
See http://wiki.nikhef.nl/grid/FetchCRL3 or the included example file for a description of the
configuration options. The default location of the configuration file is /etc/fetch-crl.conf.
Supplementary configuration is read from all files located in /etc/fetch-crl.d/, or the directory
designated by the cfgdir directive, whose collated contents are added to the existing configuration data.
NOTES
Defaults can be set in the fetch-crl system configuration file /etc/fetch-crl.conf.
SEE ALSO
openssl(1), http://wiki.nikhef.nl/grid/FetchCRL3
DIAGNOSTICS
Exit status is normally 0; if an error occurs, exit status is 1 and diagnostics will be written to
standard error.
LICENSE
Licensed under the Apache License, Version 2.0 (the "License");
http://www.apache.org/licenses/LICENSE-2.0
BUGS
Although fetch-crl3 will install multiple CRLs in the CRL stores (called '.r0', '.r1', or labelled
appropriately in an NSS store), if the number of CRLs decreases the left-overs are not automatically
removed. So if the number of CRLs for a particular CA does down from n to n-1, the file '.rn' must be
removed manually.
Trust Anchor Utilities local FETCH-CRL(8)