/[pdpsoft]/nl.nikhef.pdp.fetchcrl/trunk/fetch-crl.cnf.example
ViewVC logotype

Annotation of /nl.nikhef.pdp.fetchcrl/trunk/fetch-crl.cnf.example

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1758 - (hide annotations) (download)
Fri Jun 11 15:39:04 2010 UTC (11 years, 4 months ago) by davidg
Original Path: fetchcrl/fetch-crl.cnf.example
File size: 11397 byte(s)
Initial import of fetch-crl3

1 davidg 1758 #
2     # EXAMPLE configuration file for Fetch-crl3
3     # @(#)$Id$
4     #
5     # configuration file fetch-crl3
6     # use SEMICOLON (;) or \001 (^A) as list separators in values
7     #
8     # ---------------------------------------------------------------------------
9     # infoset set the location where the meta-data files (.info or .crl_url)
10     # are help by default. All trust anchors listed there are processes, so
11     # to suppress this behaviour set this to the empty value ""
12     #
13     # infodir = /etc/grid-security/certificates
14     #
15     # ---------------------------------------------------------------------------
16     # cadir sets the location where the trust anchors themselves are found, as
17     # PEM files, to be used in the CRL verification by openssl. They are usually
18     # names after the trust anchor proper name ("alias.0"), or after the filename
19     # of the trust anchor, the basename of the meta-data file name ("hash.0").
20     # It defaults to infodir
21     #
22     # cadir = /etc/grid-security/certificates
23     #
24     # ---------------------------------------------------------------------------
25     # output sets the location where the retrieved CRLs are written by default.
26     # It can be overridden on a per-output-format basis by setting the
27     # "output_<fmt>" options. It should point to a directory (even for the
28     # NSS output format. It defaults to infodir
29     #
30     # output = /etc/grid-security/certificates
31     #
32     # ---------------------------------------------------------------------------
33     # statedir points to the directory where per-CRL state files are kept. These
34     # state files record the retrieval time, last-retrieved (modification) time,
35     # best-before date and the (cached) content of the CRL. For the purposes of
36     # the CRL state, all CRL URLs for a particular trust anchor index are
37     # considered equal.
38     # If it is unset, no state is preserved, but the last-retrieved time is
39     # guessed from the modification time. If statedir does not exist, or is
40     # not writable, it is not used but silently ignored. Writeability is
41     # determined by perl's "-w" test.
42     # It defaults to /var/cache/fetch-crl
43     #
44     # statedir = /var/cache/fetch-crl
45     #
46     # ---------------------------------------------------------------------------
47     # formats lists one or more ways to write out the CRL to the output
48     # directories. It can be one or more of "openssl", "der", "pem", or "nss"
49     # in a comma-separated list.
50     # * the "openssl" format writes out "hash.rX" files, with <hash> being the
51     # first 4 bytes of the digest of the subject DN, and "X" a sequence number
52     # of the CRL starting at 0 (".r0"). When used with OpenSSL version 1.0.0
53     # or above, it can write out the CRL with two possible hash algorithms at
54     # the same time: the 'old' MD5 of the binary subject DN representation, or
55     # the 'new' SHA1 based digest of the canonical representation. Whether
56     # one or two hashes are written is determined by the "opensslmode" option.
57     # * "pem" writes out the CRL in PEM (RFC1421) format, to the file named
58     # after the "nametemplate_pem" setting (default: @ANCHORNAME@.@R@.crl.pem)
59     # in the output or output_pem directory
60     # * "der" does the same in DER binary format, to a file names
61     # after the "nametemplate_der" setting (default: @ANCHORNAME@.@R@.crl)
62     # in the output or output_der directory
63     # * "nss" adds (or replaces) the named CRL in the NSS database in
64     # <output>/<nssdbprefix>cert8.db, using the Mozilla crlutil tool
65     #
66     # formats = openssl
67     #
68     # ---------------------------------------------------------------------------
69     # specialised output directories
70     #
71     # output_pem = /etc/pki/tls/certs
72     # output_der = /var/tmp
73     # output_nss = /etc/pki/nssdb
74     #
75     # ---------------------------------------------------------------------------
76     # name templates are used to construct the file name of a CRL for installation
77     # based on the meta-data of the CA. It uses token replacement to construct
78     # a specific and unique filename. The tokens recognised are the same as those
79     # of the pre- and postpend URLs:
80     # @ANCHORNAME@ base name of the trust anchor meta-data file name
81     # @ALIAS@ alias name of the trust anchor from the info file (defaults
82     # to the @ANCHORNAME@)
83     # @R@ the sequence number of the CRL for this trust anchor
84     #
85     # nametemplate_der = @ANCHORNAME@.@R@.crl
86     # nametemplate_pem = @ANCHORNAME@.@R@.crl.pem
87     #
88     # ---------------------------------------------------------------------------
89     # catemplate has a (list of) potential names of the certificate of the
90     # trust anchor -- it is used to find the CA data for verifying the
91     # retrieved CRLs. Even if you only use NSS databases, you need a directory
92     # with PEM formatted certificates of the issuing CAs.
93     #
94     # catemplate = @ALIAS@.pem; @ALIAS@.@R@; @ANCHORNAME@.@R@
95     #
96     # ---------------------------------------------------------------------------
97     # opensslmode is used if the openssl format for output is specified and also
98     # OpenSSL version 1.0.0 or higher are used. If so, you can have the CRL data
99     # be written out twice, once with the 'old' and once with the 'new' hash style
100     # Default is dual mode, so if OpenSSL 1.x is present, by default TWO files
101     # are written
102     #
103     # opensslmode = dual
104     # opensslmode = single
105     #
106     # ---------------------------------------------------------------------------
107     # nonssverify disables the checking of imported CRLs into an NSS database.
108     # so that you can create a database withonly CRLs, and no CAs. It passes the
109     # "-B" option to the crlutil tool
110     #
111     # nonssverify
112     #
113     # ---------------------------------------------------------------------------
114     # wait up to <randomwait> seconds before doing anything at all
115     # useful for randoming the start time and download from cron across the world
116     #
117     # randomwait = 0
118     #
119     # ---------------------------------------------------------------------------
120     # logmode defined how the log and error messages are written out:
121     # direct - print them immediately, only the message
122     # qualified - print immediately, but prexif it with the message type
123     # "WARN", "ERROR", "VERBOSE(x)", or "DEBUG(x)"
124     # cache - save messages and dump them all at once at the end
125     # syslog - write the message to system with a decent severity level
126     # using facility <syslogfacility> (default: daemon)
127     #
128     # logmode = qualified
129     #
130     # ---------------------------------------------------------------------------
131     # wait at most <httptimeout> seconds for the retrieval of a data blob
132     # from a remote URL (http, https, or ftp). The timeout covers the whole
133     # retrieval process, incliding DNS resolution. Default is 120 seconds.
134     #
135     # httptimeout = 30
136     #
137     # ---------------------------------------------------------------------------
138     # httpproxy sets the url for the HTTP proxy to use (in perl LWP style). Or
139     # use ENV to pick up the settings from the environment
140     #
141     # http_proxy = http://localhost:8001/
142     #
143     # ---------------------------------------------------------------------------
144     # nowarnings suppresses the pritning and logging or any and all warnings (but
145     # not errors or verbose messages)
146     #
147     # nowarnings
148     #
149     # ---------------------------------------------------------------------------
150     # noerrors suppresses the pritning and logging or any and all errors (but
151     # not warnings or verbose messages)
152     #
153     # noerrors
154     #
155     # ---------------------------------------------------------------------------
156     # agingtolerance sets the time in hours before retrieval warnings become
157     # errors for a CRL retrieval. If you also suppress warnings, you will
158     # prevent any annoying messages for a trust anchor for up to <hrs> hours.
159     # The IGTF currently recommends an aging tolerance of 24 hours, to allow
160     # for network disruptions and connectivity problems.
161     #
162     # agingtolerance = 24
163     #
164     # ---------------------------------------------------------------------------
165     # prepend_url URLs are tried first before using any URLs form the crl_url
166     # file or the .info crl_url (crl_url.0) fields
167     #
168     # prepend_url = file:///share/grid-security/certificates/@ALIAS@.r@R@
169     #
170     # ---------------------------------------------------------------------------
171     # postpend_url URLs are tried last, only if all URLs form the crl_url file
172     # or the .info crl_url (crl_url.0) fields have already failed or timed out
173     #
174     # postpend_url = http://dist.eugridpma.info/certificates/@ANCHORNAME@.r@R@
175     #
176     # ---------------------------------------------------------------------------
177     # path to openssl version to use
178     # openssl = /usr/bin/openssl
179     #
180     # ---------------------------------------------------------------------------
181     # path to use to find utilities like OpenSSL or crlutil. Default leaves it
182     # unmodified
183     #
184     # path = /bin:/usr/bin:/usr/ucb
185     #
186     # ---------------------------------------------------------------------------
187     # settings "backups" will trigger the generation of backup files (~ files)
188     # when writing CRLs to an output destination.
189     #
190     # backups
191     #
192     # ---------------------------------------------------------------------------
193     # stateless supresses any use of the state directory, even if it exists and
194     # is writable
195     #
196     # stateless
197     #
198     # ---------------------------------------------------------------------------
199     # override version or packager to influence the User-Agent header in http
200     # requests. But please leave them alone
201     # version = 3.0
202     # packager = EUGridPMA
203    
204     # ===========================================================================
205     # PER TRUST ANCHOR OVERRIDES
206     # ===========================================================================
207     #
208     # many settings can be overrules in a per-trust anchor section of the
209     # configuration file. For each trust anchor, only a SINGLE override
210     # section will be used. If a section names after the @ALIAS@ exists,
211     # it will take precedence over any section named after @ANCHORNAME@.
212     #
213     # To have a section work with either ".info" or ".crl_url" files, name it
214     # after the @ANCHORNAME@, since that one will be the same for both.
215     # Example: the DutchGrid CA "NIKHEF" can be either [NIKHEF] or [16da7552]
216     # (the latter is the commonly used file name), but using [16da7552] will
217     # result in the section being recognised in both cases
218     #
219     #
220     [16da7552]
221    
222     # ---------------------------------------------------------------------------
223     # agingtolerance for this trust anchor specifically. Use it if the retrieval
224     # for this CA is unreliable.
225     #
226     # agingtolerance = 12
227     #
228     # ---------------------------------------------------------------------------
229     # replace the list of CRL URLs for this CA and this CRL sequence number
230     # by a completely new set. E.g. from a different place, or a local
231     # cache, or ...
232     #
233     # crl_url.0 = http://ca.dutchgrid.nl/medium/cacrl.pem; file:///etc/grid-security/certificates/16da7552.r0
234     #
235     # ---------------------------------------------------------------------------
236     # To never hear of this CA again, suppress both errors and warnings:
237     #noerrors
238     #nowarnings
239     #
240     # ---------------------------------------------------------------------------
241     # You can also (un) set the following on a per-trust anchor basis:
242     #
243     # (no)prepend_url (no)postpend_url (no)http_proxy (no)statedir --
244     # either remove a global setting, or put in a new setting with value
245     #
246     # (no)warnings (no)noerrors (no)nocache --
247     # override a global setting (no value possible)
248     #
249     # agingtolerance httptimeout nametemplate_der nametemplate_pem
250     # cadir catemplate
251     # set these to a local value (but they cannot be unset)
252     #
253     #
254     # Share and enjoy -- and remember that up to 7 verbosity levels are
255     # significant :-) "-vvvvvvvv" is a useful option ...
256     #
257     #

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28