1 |
# |
2 |
# EXAMPLE configuration file for Fetch-crl3 |
3 |
# @(#)$Id$ |
4 |
# |
5 |
# configuration file fetch-crl3 |
6 |
# use SEMICOLON (;) or \001 (^A) as list separators in values |
7 |
# |
8 |
# --------------------------------------------------------------------------- |
9 |
# infoset set the location where the meta-data files (.info or .crl_url) |
10 |
# are help by default. All trust anchors listed there are processes, so |
11 |
# to suppress this behaviour set this to the empty value "" |
12 |
# |
13 |
# infodir = /etc/grid-security/certificates |
14 |
# |
15 |
# --------------------------------------------------------------------------- |
16 |
# cadir sets the location where the trust anchors themselves are found, as |
17 |
# PEM files, to be used in the CRL verification by openssl. They are usually |
18 |
# names after the trust anchor proper name ("alias.0"), or after the filename |
19 |
# of the trust anchor, the basename of the meta-data file name ("hash.0"). |
20 |
# It defaults to infodir |
21 |
# |
22 |
# cadir = /etc/grid-security/certificates |
23 |
# |
24 |
# --------------------------------------------------------------------------- |
25 |
# output sets the location where the retrieved CRLs are written by default. |
26 |
# It can be overridden on a per-output-format basis by setting the |
27 |
# "output_<fmt>" options. It should point to a directory (even for the |
28 |
# NSS output format. It defaults to infodir |
29 |
# |
30 |
# output = /etc/grid-security/certificates |
31 |
# |
32 |
# --------------------------------------------------------------------------- |
33 |
# statedir points to the directory where per-CRL state files are kept. These |
34 |
# state files record the retrieval time, last-retrieved (modification) time, |
35 |
# best-before date and the (cached) content of the CRL. For the purposes of |
36 |
# the CRL state, all CRL URLs for a particular trust anchor index are |
37 |
# considered equal. |
38 |
# If it is unset, no state is preserved, but the last-retrieved time is |
39 |
# guessed from the modification time. If statedir does not exist, or is |
40 |
# not writable, it is not used but silently ignored. Writeability is |
41 |
# determined by perl's "-w" test. |
42 |
# It defaults to /var/cache/fetch-crl |
43 |
# |
44 |
# statedir = /var/cache/fetch-crl |
45 |
# |
46 |
# --------------------------------------------------------------------------- |
47 |
# formats lists one or more ways to write out the CRL to the output |
48 |
# directories. It can be one or more of "openssl", "der", "pem", or "nss" |
49 |
# in a comma-separated list. |
50 |
# * the "openssl" format writes out "hash.rX" files, with <hash> being the |
51 |
# first 4 bytes of the digest of the subject DN, and "X" a sequence number |
52 |
# of the CRL starting at 0 (".r0"). When used with OpenSSL version 1.0.0 |
53 |
# or above, it can write out the CRL with two possible hash algorithms at |
54 |
# the same time: the 'old' MD5 of the binary subject DN representation, or |
55 |
# the 'new' SHA1 based digest of the canonical representation. Whether |
56 |
# one or two hashes are written is determined by the "opensslmode" option. |
57 |
# * "pem" writes out the CRL in PEM (RFC1421) format, to the file named |
58 |
# after the "nametemplate_pem" setting (default: @ANCHORNAME@.@R@.crl.pem) |
59 |
# in the output or output_pem directory |
60 |
# * "der" does the same in DER binary format, to a file names |
61 |
# after the "nametemplate_der" setting (default: @ANCHORNAME@.@R@.crl) |
62 |
# in the output or output_der directory |
63 |
# * "nss" adds (or replaces) the named CRL in the NSS database in |
64 |
# <output>/<nssdbprefix>cert8.db, using the Mozilla crlutil tool |
65 |
# |
66 |
# formats = openssl |
67 |
# |
68 |
# --------------------------------------------------------------------------- |
69 |
# specialised output directories |
70 |
# |
71 |
# output_pem = /etc/pki/tls/certs |
72 |
# output_der = /var/tmp |
73 |
# output_nss = /etc/pki/nssdb |
74 |
# |
75 |
# --------------------------------------------------------------------------- |
76 |
# name templates are used to construct the file name of a CRL for installation |
77 |
# based on the meta-data of the CA. It uses token replacement to construct |
78 |
# a specific and unique filename. The tokens recognised are the same as those |
79 |
# of the pre- and postpend URLs: |
80 |
# @ANCHORNAME@ base name of the trust anchor meta-data file name |
81 |
# @ALIAS@ alias name of the trust anchor from the info file (defaults |
82 |
# to the @ANCHORNAME@) |
83 |
# @R@ the sequence number of the CRL for this trust anchor |
84 |
# |
85 |
# nametemplate_der = @ANCHORNAME@.@R@.crl |
86 |
# nametemplate_pem = @ANCHORNAME@.@R@.crl.pem |
87 |
# |
88 |
# --------------------------------------------------------------------------- |
89 |
# catemplate has a (list of) potential names of the certificate of the |
90 |
# trust anchor -- it is used to find the CA data for verifying the |
91 |
# retrieved CRLs. Even if you only use NSS databases, you need a directory |
92 |
# with PEM formatted certificates of the issuing CAs. |
93 |
# |
94 |
# catemplate = @ALIAS@.pem; @ALIAS@.@R@; @ANCHORNAME@.@R@ |
95 |
# |
96 |
# --------------------------------------------------------------------------- |
97 |
# opensslmode is used if the openssl format for output is specified and also |
98 |
# OpenSSL version 1.0.0 or higher are used. If so, you can have the CRL data |
99 |
# be written out twice, once with the 'old' and once with the 'new' hash style |
100 |
# Default is dual mode, so if OpenSSL 1.x is present, by default TWO files |
101 |
# are written |
102 |
# |
103 |
# opensslmode = dual |
104 |
# opensslmode = single |
105 |
# |
106 |
# --------------------------------------------------------------------------- |
107 |
# nonssverify disables the checking of imported CRLs into an NSS database. |
108 |
# so that you can create a database withonly CRLs, and no CAs. It passes the |
109 |
# "-B" option to the crlutil tool |
110 |
# |
111 |
# nonssverify |
112 |
# |
113 |
# --------------------------------------------------------------------------- |
114 |
# wait up to <randomwait> seconds before doing anything at all |
115 |
# useful for randoming the start time and download from cron across the world |
116 |
# |
117 |
# randomwait = 0 |
118 |
# |
119 |
# --------------------------------------------------------------------------- |
120 |
# logmode defined how the log and error messages are written out: |
121 |
# direct - print them immediately, only the message |
122 |
# qualified - print immediately, but prexif it with the message type |
123 |
# "WARN", "ERROR", "VERBOSE(x)", or "DEBUG(x)" |
124 |
# cache - save messages and dump them all at once at the end |
125 |
# syslog - write the message to system with a decent severity level |
126 |
# using facility <syslogfacility> (default: daemon) |
127 |
# |
128 |
# logmode = qualified |
129 |
# |
130 |
# --------------------------------------------------------------------------- |
131 |
# wait at most <httptimeout> seconds for the retrieval of a data blob |
132 |
# from a remote URL (http, https, or ftp). The timeout covers the whole |
133 |
# retrieval process, incliding DNS resolution. Default is 120 seconds. |
134 |
# |
135 |
# httptimeout = 30 |
136 |
# |
137 |
# --------------------------------------------------------------------------- |
138 |
# httpproxy sets the url for the HTTP proxy to use (in perl LWP style). Or |
139 |
# use ENV to pick up the settings from the environment |
140 |
# |
141 |
# http_proxy = http://localhost:8001/ |
142 |
# |
143 |
# --------------------------------------------------------------------------- |
144 |
# nowarnings suppresses the pritning and logging or any and all warnings (but |
145 |
# not errors or verbose messages) |
146 |
# |
147 |
# nowarnings |
148 |
# |
149 |
# --------------------------------------------------------------------------- |
150 |
# noerrors suppresses the pritning and logging or any and all errors (but |
151 |
# not warnings or verbose messages) |
152 |
# |
153 |
# noerrors |
154 |
# |
155 |
# --------------------------------------------------------------------------- |
156 |
# agingtolerance sets the time in hours before retrieval warnings become |
157 |
# errors for a CRL retrieval. If you also suppress warnings, you will |
158 |
# prevent any annoying messages for a trust anchor for up to <hrs> hours. |
159 |
# The IGTF currently recommends an aging tolerance of 24 hours, to allow |
160 |
# for network disruptions and connectivity problems. |
161 |
# |
162 |
# agingtolerance = 24 |
163 |
# |
164 |
# --------------------------------------------------------------------------- |
165 |
# prepend_url URLs are tried first before using any URLs form the crl_url |
166 |
# file or the .info crl_url (crl_url.0) fields |
167 |
# |
168 |
# prepend_url = file:///share/grid-security/certificates/@ALIAS@.r@R@ |
169 |
# |
170 |
# --------------------------------------------------------------------------- |
171 |
# postpend_url URLs are tried last, only if all URLs form the crl_url file |
172 |
# or the .info crl_url (crl_url.0) fields have already failed or timed out |
173 |
# |
174 |
# postpend_url = http://dist.eugridpma.info/certificates/@ANCHORNAME@.r@R@ |
175 |
# |
176 |
# --------------------------------------------------------------------------- |
177 |
# path to openssl version to use |
178 |
# openssl = /usr/bin/openssl |
179 |
# |
180 |
# --------------------------------------------------------------------------- |
181 |
# path to use to find utilities like OpenSSL or crlutil. Default leaves it |
182 |
# unmodified |
183 |
# |
184 |
# path = /bin:/usr/bin:/usr/ucb |
185 |
# |
186 |
# --------------------------------------------------------------------------- |
187 |
# settings "backups" will trigger the generation of backup files (~ files) |
188 |
# when writing CRLs to an output destination. |
189 |
# |
190 |
# backups |
191 |
# |
192 |
# --------------------------------------------------------------------------- |
193 |
# stateless supresses any use of the state directory, even if it exists and |
194 |
# is writable |
195 |
# |
196 |
# stateless |
197 |
# |
198 |
# --------------------------------------------------------------------------- |
199 |
# override version or packager to influence the User-Agent header in http |
200 |
# requests. But please leave them alone |
201 |
# version = 3.0 |
202 |
# packager = EUGridPMA |
203 |
|
204 |
# =========================================================================== |
205 |
# PER TRUST ANCHOR OVERRIDES |
206 |
# =========================================================================== |
207 |
# |
208 |
# many settings can be overrules in a per-trust anchor section of the |
209 |
# configuration file. For each trust anchor, only a SINGLE override |
210 |
# section will be used. If a section names after the @ALIAS@ exists, |
211 |
# it will take precedence over any section named after @ANCHORNAME@. |
212 |
# |
213 |
# To have a section work with either ".info" or ".crl_url" files, name it |
214 |
# after the @ANCHORNAME@, since that one will be the same for both. |
215 |
# Example: the DutchGrid CA "NIKHEF" can be either [NIKHEF] or [16da7552] |
216 |
# (the latter is the commonly used file name), but using [16da7552] will |
217 |
# result in the section being recognised in both cases |
218 |
# |
219 |
# |
220 |
[16da7552] |
221 |
|
222 |
# --------------------------------------------------------------------------- |
223 |
# agingtolerance for this trust anchor specifically. Use it if the retrieval |
224 |
# for this CA is unreliable. |
225 |
# |
226 |
# agingtolerance = 12 |
227 |
# |
228 |
# --------------------------------------------------------------------------- |
229 |
# replace the list of CRL URLs for this CA and this CRL sequence number |
230 |
# by a completely new set. E.g. from a different place, or a local |
231 |
# cache, or ... |
232 |
# |
233 |
# crl_url.0 = http://ca.dutchgrid.nl/medium/cacrl.pem; file:///etc/grid-security/certificates/16da7552.r0 |
234 |
# |
235 |
# --------------------------------------------------------------------------- |
236 |
# To never hear of this CA again, suppress both errors and warnings: |
237 |
#noerrors |
238 |
#nowarnings |
239 |
# |
240 |
# --------------------------------------------------------------------------- |
241 |
# You can also (un) set the following on a per-trust anchor basis: |
242 |
# |
243 |
# (no)prepend_url (no)postpend_url (no)http_proxy (no)statedir -- |
244 |
# either remove a global setting, or put in a new setting with value |
245 |
# |
246 |
# (no)warnings (no)noerrors (no)nocache -- |
247 |
# override a global setting (no value possible) |
248 |
# |
249 |
# agingtolerance httptimeout nametemplate_der nametemplate_pem |
250 |
# cadir catemplate |
251 |
# set these to a local value (but they cannot be unset) |
252 |
# |
253 |
# |
254 |
# Share and enjoy -- and remember that up to 7 verbosity levels are |
255 |
# significant :-) "-vvvvvvvv" is a useful option ... |
256 |
# |
257 |
# |