/[pdpsoft]/nl.nikhef.pdp.fetchcrl/trunk/fetch-crl.cnf.example
ViewVC logotype

Annotation of /nl.nikhef.pdp.fetchcrl/trunk/fetch-crl.cnf.example

Parent Directory Parent Directory | Revision Log Revision Log


Revision 2433 - (hide annotations) (download)
Mon Sep 26 13:40:54 2011 UTC (10 years ago) by davidg
File size: 12779 byte(s)
Settle on 3.0.8 version number for @HASH@ support. Update doc and chencges

1 davidg 1758 #
2     # EXAMPLE configuration file for Fetch-crl3
3     # @(#)$Id$
4     #
5     # configuration file fetch-crl3
6     # use SEMICOLON (;) or \001 (^A) as list separators in values
7     #
8     # ---------------------------------------------------------------------------
9 davidg 2084 # cfgdir sets the directory where subordinate configuration files are
10     # found. These files are read in addition to the main config file.
11     # The default directory is /etc/fetch-crl.d/ and is used by default, so
12     # to suppress this behaviour set this to the empty value ""
13     #
14     # cfgdir = /etc/fetch-crl.d
15     #
16     # ---------------------------------------------------------------------------
17 davidg 1758 # infoset set the location where the meta-data files (.info or .crl_url)
18     # are help by default. All trust anchors listed there are processes, so
19     # to suppress this behaviour set this to the empty value ""
20     #
21     # infodir = /etc/grid-security/certificates
22     #
23     # ---------------------------------------------------------------------------
24     # cadir sets the location where the trust anchors themselves are found, as
25     # PEM files, to be used in the CRL verification by openssl. They are usually
26     # names after the trust anchor proper name ("alias.0"), or after the filename
27     # of the trust anchor, the basename of the meta-data file name ("hash.0").
28     # It defaults to infodir
29     #
30     # cadir = /etc/grid-security/certificates
31     #
32     # ---------------------------------------------------------------------------
33     # output sets the location where the retrieved CRLs are written by default.
34     # It can be overridden on a per-output-format basis by setting the
35     # "output_<fmt>" options. It should point to a directory (even for the
36     # NSS output format. It defaults to infodir
37     #
38     # output = /etc/grid-security/certificates
39     #
40     # ---------------------------------------------------------------------------
41     # statedir points to the directory where per-CRL state files are kept. These
42     # state files record the retrieval time, last-retrieved (modification) time,
43     # best-before date and the (cached) content of the CRL. For the purposes of
44     # the CRL state, all CRL URLs for a particular trust anchor index are
45     # considered equal.
46     # If it is unset, no state is preserved, but the last-retrieved time is
47     # guessed from the modification time. If statedir does not exist, or is
48     # not writable, it is not used but silently ignored. Writeability is
49     # determined by perl's "-w" test.
50     # It defaults to /var/cache/fetch-crl
51     #
52     # statedir = /var/cache/fetch-crl
53     #
54     # ---------------------------------------------------------------------------
55     # formats lists one or more ways to write out the CRL to the output
56     # directories. It can be one or more of "openssl", "der", "pem", or "nss"
57     # in a comma-separated list.
58     # * the "openssl" format writes out "hash.rX" files, with <hash> being the
59     # first 4 bytes of the digest of the subject DN, and "X" a sequence number
60     # of the CRL starting at 0 (".r0"). When used with OpenSSL version 1.0.0
61     # or above, it can write out the CRL with two possible hash algorithms at
62     # the same time: the 'old' MD5 of the binary subject DN representation, or
63     # the 'new' SHA1 based digest of the canonical representation. Whether
64     # one or two hashes are written is determined by the "opensslmode" option.
65     # * "pem" writes out the CRL in PEM (RFC1421) format, to the file named
66     # after the "nametemplate_pem" setting (default: @ANCHORNAME@.@R@.crl.pem)
67     # in the output or output_pem directory
68     # * "der" does the same in DER binary format, to a file names
69     # after the "nametemplate_der" setting (default: @ANCHORNAME@.@R@.crl)
70     # in the output or output_der directory
71     # * "nss" adds (or replaces) the named CRL in the NSS database in
72     # <output>/<nssdbprefix>cert8.db, using the Mozilla crlutil tool
73     #
74     # formats = openssl
75     #
76     # ---------------------------------------------------------------------------
77     # specialised output directories
78     #
79     # output_pem = /etc/pki/tls/certs
80     # output_der = /var/tmp
81     # output_nss = /etc/pki/nssdb
82     #
83     # ---------------------------------------------------------------------------
84     # name templates are used to construct the file name of a CRL for installation
85     # based on the meta-data of the CA. It uses token replacement to construct
86     # a specific and unique filename. The tokens recognised are the same as those
87     # of the pre- and postpend URLs:
88     # @ANCHORNAME@ base name of the trust anchor meta-data file name
89     # @ALIAS@ alias name of the trust anchor from the info file (defaults
90     # to the @ANCHORNAME@)
91     # @R@ the sequence number of the CRL for this trust anchor
92     #
93     # nametemplate_der = @ANCHORNAME@.@R@.crl
94     # nametemplate_pem = @ANCHORNAME@.@R@.crl.pem
95     #
96     # ---------------------------------------------------------------------------
97     # catemplate has a (list of) potential names of the certificate of the
98     # trust anchor -- it is used to find the CA data for verifying the
99     # retrieved CRLs. Even if you only use NSS databases, you need a directory
100     # with PEM formatted certificates of the issuing CAs.
101     #
102     # catemplate = @ALIAS@.pem; @ALIAS@.@R@; @ANCHORNAME@.@R@
103     #
104 davidg 2433 # When @HASH@ (c_hash from default OpenSSL version as based on the retrieved
105     # CRL) is used in this template list, a CRL will *always* be retrieved first,
106     # even if no corresponding trust anchor is found later. Use of @HASH@ is
107     # only recommended in case the name of the crl_url or info file is different
108     # from the name of the trust anchor.
109     #
110     # catemplate = @ALIAS@.pem; @ALIAS@.@R@; @ANCHORNAME@.@R@; @HASH@.0
111     #
112 davidg 1758 # ---------------------------------------------------------------------------
113     # opensslmode is used if the openssl format for output is specified and also
114     # OpenSSL version 1.0.0 or higher are used. If so, you can have the CRL data
115     # be written out twice, once with the 'old' and once with the 'new' hash style
116     # Default is dual mode, so if OpenSSL 1.x is present, by default TWO files
117     # are written
118     #
119     # opensslmode = dual
120     # opensslmode = single
121     #
122     # ---------------------------------------------------------------------------
123     # nonssverify disables the checking of imported CRLs into an NSS database.
124     # so that you can create a database withonly CRLs, and no CAs. It passes the
125     # "-B" option to the crlutil tool
126     #
127     # nonssverify
128     #
129     # ---------------------------------------------------------------------------
130 davidg 2202 # use up to <parallelism> thread in parallel to retrieve and install CRLs
131     # This feature is likely NOT COMPATIBLE with the use of NSS databases for
132     # CRLs, due to thread contention issues
133     #
134     # parallelism = 5
135     #
136     # ---------------------------------------------------------------------------
137 davidg 1758 # wait up to <randomwait> seconds before doing anything at all
138     # useful for randoming the start time and download from cron across the world
139     #
140     # randomwait = 0
141     #
142     # ---------------------------------------------------------------------------
143     # logmode defined how the log and error messages are written out:
144     # direct - print them immediately, only the message
145     # qualified - print immediately, but prexif it with the message type
146     # "WARN", "ERROR", "VERBOSE(x)", or "DEBUG(x)"
147     # cache - save messages and dump them all at once at the end
148     # syslog - write the message to system with a decent severity level
149     # using facility <syslogfacility> (default: daemon)
150     #
151     # logmode = qualified
152     #
153     # ---------------------------------------------------------------------------
154     # wait at most <httptimeout> seconds for the retrieval of a data blob
155     # from a remote URL (http, https, or ftp). The timeout covers the whole
156     # retrieval process, incliding DNS resolution. Default is 120 seconds.
157     #
158     # httptimeout = 30
159     #
160     # ---------------------------------------------------------------------------
161     # httpproxy sets the url for the HTTP proxy to use (in perl LWP style). Or
162     # use ENV to pick up the settings from the environment
163     #
164     # http_proxy = http://localhost:8001/
165     #
166     # ---------------------------------------------------------------------------
167     # nowarnings suppresses the pritning and logging or any and all warnings (but
168     # not errors or verbose messages)
169     #
170     # nowarnings
171     #
172     # ---------------------------------------------------------------------------
173     # noerrors suppresses the pritning and logging or any and all errors (but
174     # not warnings or verbose messages)
175     #
176     # noerrors
177     #
178     # ---------------------------------------------------------------------------
179     # agingtolerance sets the time in hours before retrieval warnings become
180     # errors for a CRL retrieval. If you also suppress warnings, you will
181     # prevent any annoying messages for a trust anchor for up to <hrs> hours.
182     # The IGTF currently recommends an aging tolerance of 24 hours, to allow
183     # for network disruptions and connectivity problems.
184     #
185     # agingtolerance = 24
186     #
187     # ---------------------------------------------------------------------------
188     # prepend_url URLs are tried first before using any URLs form the crl_url
189     # file or the .info crl_url (crl_url.0) fields
190     #
191     # prepend_url = file:///share/grid-security/certificates/@ALIAS@.r@R@
192     #
193     # ---------------------------------------------------------------------------
194     # postpend_url URLs are tried last, only if all URLs form the crl_url file
195     # or the .info crl_url (crl_url.0) fields have already failed or timed out
196     #
197     # postpend_url = http://dist.eugridpma.info/certificates/@ANCHORNAME@.r@R@
198     #
199     # ---------------------------------------------------------------------------
200     # path to openssl version to use
201     # openssl = /usr/bin/openssl
202     #
203     # ---------------------------------------------------------------------------
204     # path to use to find utilities like OpenSSL or crlutil. Default leaves it
205     # unmodified
206     #
207     # path = /bin:/usr/bin:/usr/ucb
208     #
209     # ---------------------------------------------------------------------------
210     # settings "backups" will trigger the generation of backup files (~ files)
211     # when writing CRLs to an output destination.
212     #
213     # backups
214     #
215     # ---------------------------------------------------------------------------
216     # stateless supresses any use of the state directory, even if it exists and
217     # is writable
218     #
219     # stateless
220     #
221     # ---------------------------------------------------------------------------
222     # override version or packager to influence the User-Agent header in http
223     # requests. But please leave them alone
224     # version = 3.0
225     # packager = EUGridPMA
226    
227     # ===========================================================================
228     # PER TRUST ANCHOR OVERRIDES
229     # ===========================================================================
230     #
231     # many settings can be overrules in a per-trust anchor section of the
232     # configuration file. For each trust anchor, only a SINGLE override
233     # section will be used. If a section names after the @ALIAS@ exists,
234     # it will take precedence over any section named after @ANCHORNAME@.
235     #
236     # To have a section work with either ".info" or ".crl_url" files, name it
237     # after the @ANCHORNAME@, since that one will be the same for both.
238     # Example: the DutchGrid CA "NIKHEF" can be either [NIKHEF] or [16da7552]
239     # (the latter is the commonly used file name), but using [16da7552] will
240     # result in the section being recognised in both cases
241     #
242     #
243     [16da7552]
244    
245     # ---------------------------------------------------------------------------
246     # agingtolerance for this trust anchor specifically. Use it if the retrieval
247     # for this CA is unreliable.
248     #
249     # agingtolerance = 12
250     #
251     # ---------------------------------------------------------------------------
252     # replace the list of CRL URLs for this CA and this CRL sequence number
253     # by a completely new set. E.g. from a different place, or a local
254     # cache, or ...
255     #
256     # crl_url.0 = http://ca.dutchgrid.nl/medium/cacrl.pem; file:///etc/grid-security/certificates/16da7552.r0
257     #
258     # ---------------------------------------------------------------------------
259     # To never hear of this CA again, suppress both errors and warnings:
260     #noerrors
261     #nowarnings
262     #
263     # ---------------------------------------------------------------------------
264 davidg 1878 # Do not process symlinked meta-data, preventing triple downloads with
265     # the new-format IGTF distribution before release 1.37 (1.33 up to and
266     # including 1.36 also symlinked the .info file to the hash names)
267     #nosymlinks
268     #
269     # ---------------------------------------------------------------------------
270 davidg 1758 # You can also (un) set the following on a per-trust anchor basis:
271     #
272     # (no)prepend_url (no)postpend_url (no)http_proxy (no)statedir --
273     # either remove a global setting, or put in a new setting with value
274     #
275     # (no)warnings (no)noerrors (no)nocache --
276     # override a global setting (no value possible)
277     #
278     # agingtolerance httptimeout nametemplate_der nametemplate_pem
279     # cadir catemplate
280     # set these to a local value (but they cannot be unset)
281     #
282     #
283     # Share and enjoy -- and remember that up to 7 verbosity levels are
284     # significant :-) "-vvvvvvvv" is a useful option ...
285     #
286     #

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28