/[pdpsoft]/nl.nikhef.pdp.fetchcrl/trunk/fetch-crl.cnf.example
ViewVC logotype

Annotation of /nl.nikhef.pdp.fetchcrl/trunk/fetch-crl.cnf.example

Parent Directory Parent Directory | Revision Log Revision Log


Revision 2597 - (hide annotations) (download)
Wed Jan 30 08:22:08 2013 UTC (8 years, 10 months ago) by davidg
File size: 12987 byte(s)
allow override -quiet

1 davidg 1758 #
2     # EXAMPLE configuration file for Fetch-crl3
3     # @(#)$Id$
4     #
5     # configuration file fetch-crl3
6     # use SEMICOLON (;) or \001 (^A) as list separators in values
7     #
8     # ---------------------------------------------------------------------------
9 davidg 2084 # cfgdir sets the directory where subordinate configuration files are
10     # found. These files are read in addition to the main config file.
11     # The default directory is /etc/fetch-crl.d/ and is used by default, so
12     # to suppress this behaviour set this to the empty value ""
13     #
14     # cfgdir = /etc/fetch-crl.d
15     #
16     # ---------------------------------------------------------------------------
17 davidg 1758 # infoset set the location where the meta-data files (.info or .crl_url)
18     # are help by default. All trust anchors listed there are processes, so
19     # to suppress this behaviour set this to the empty value ""
20     #
21     # infodir = /etc/grid-security/certificates
22     #
23     # ---------------------------------------------------------------------------
24     # cadir sets the location where the trust anchors themselves are found, as
25     # PEM files, to be used in the CRL verification by openssl. They are usually
26     # names after the trust anchor proper name ("alias.0"), or after the filename
27     # of the trust anchor, the basename of the meta-data file name ("hash.0").
28     # It defaults to infodir
29     #
30     # cadir = /etc/grid-security/certificates
31     #
32     # ---------------------------------------------------------------------------
33     # output sets the location where the retrieved CRLs are written by default.
34     # It can be overridden on a per-output-format basis by setting the
35     # "output_<fmt>" options. It should point to a directory (even for the
36     # NSS output format. It defaults to infodir
37     #
38     # output = /etc/grid-security/certificates
39     #
40     # ---------------------------------------------------------------------------
41     # statedir points to the directory where per-CRL state files are kept. These
42     # state files record the retrieval time, last-retrieved (modification) time,
43     # best-before date and the (cached) content of the CRL. For the purposes of
44     # the CRL state, all CRL URLs for a particular trust anchor index are
45     # considered equal.
46     # If it is unset, no state is preserved, but the last-retrieved time is
47     # guessed from the modification time. If statedir does not exist, or is
48     # not writable, it is not used but silently ignored. Writeability is
49     # determined by perl's "-w" test.
50     # It defaults to /var/cache/fetch-crl
51     #
52     # statedir = /var/cache/fetch-crl
53     #
54     # ---------------------------------------------------------------------------
55     # formats lists one or more ways to write out the CRL to the output
56     # directories. It can be one or more of "openssl", "der", "pem", or "nss"
57     # in a comma-separated list.
58     # * the "openssl" format writes out "hash.rX" files, with <hash> being the
59     # first 4 bytes of the digest of the subject DN, and "X" a sequence number
60     # of the CRL starting at 0 (".r0"). When used with OpenSSL version 1.0.0
61     # or above, it can write out the CRL with two possible hash algorithms at
62     # the same time: the 'old' MD5 of the binary subject DN representation, or
63     # the 'new' SHA1 based digest of the canonical representation. Whether
64     # one or two hashes are written is determined by the "opensslmode" option.
65     # * "pem" writes out the CRL in PEM (RFC1421) format, to the file named
66     # after the "nametemplate_pem" setting (default: @ANCHORNAME@.@R@.crl.pem)
67     # in the output or output_pem directory
68     # * "der" does the same in DER binary format, to a file names
69     # after the "nametemplate_der" setting (default: @ANCHORNAME@.@R@.crl)
70     # in the output or output_der directory
71     # * "nss" adds (or replaces) the named CRL in the NSS database in
72     # <output>/<nssdbprefix>cert8.db, using the Mozilla crlutil tool
73     #
74     # formats = openssl
75     #
76     # ---------------------------------------------------------------------------
77     # specialised output directories
78     #
79     # output_pem = /etc/pki/tls/certs
80     # output_der = /var/tmp
81     # output_nss = /etc/pki/nssdb
82     #
83     # ---------------------------------------------------------------------------
84     # name templates are used to construct the file name of a CRL for installation
85     # based on the meta-data of the CA. It uses token replacement to construct
86     # a specific and unique filename. The tokens recognised are the same as those
87     # of the pre- and postpend URLs:
88     # @ANCHORNAME@ base name of the trust anchor meta-data file name
89     # @ALIAS@ alias name of the trust anchor from the info file (defaults
90     # to the @ANCHORNAME@)
91     # @R@ the sequence number of the CRL for this trust anchor
92     #
93     # nametemplate_der = @ANCHORNAME@.@R@.crl
94     # nametemplate_pem = @ANCHORNAME@.@R@.crl.pem
95     #
96     # ---------------------------------------------------------------------------
97     # catemplate has a (list of) potential names of the certificate of the
98     # trust anchor -- it is used to find the CA data for verifying the
99     # retrieved CRLs. Even if you only use NSS databases, you need a directory
100     # with PEM formatted certificates of the issuing CAs.
101     #
102     # catemplate = @ALIAS@.pem; @ALIAS@.@R@; @ANCHORNAME@.@R@
103     #
104 davidg 2433 # When @HASH@ (c_hash from default OpenSSL version as based on the retrieved
105     # CRL) is used in this template list, a CRL will *always* be retrieved first,
106     # even if no corresponding trust anchor is found later. Use of @HASH@ is
107     # only recommended in case the name of the crl_url or info file is different
108     # from the name of the trust anchor.
109     #
110     # catemplate = @ALIAS@.pem; @ALIAS@.@R@; @ANCHORNAME@.@R@; @HASH@.0
111     #
112 davidg 1758 # ---------------------------------------------------------------------------
113     # opensslmode is used if the openssl format for output is specified and also
114     # OpenSSL version 1.0.0 or higher are used. If so, you can have the CRL data
115     # be written out twice, once with the 'old' and once with the 'new' hash style
116     # Default is dual mode, so if OpenSSL 1.x is present, by default TWO files
117     # are written
118     #
119     # opensslmode = dual
120     # opensslmode = single
121     #
122     # ---------------------------------------------------------------------------
123     # nonssverify disables the checking of imported CRLs into an NSS database.
124     # so that you can create a database withonly CRLs, and no CAs. It passes the
125     # "-B" option to the crlutil tool
126     #
127     # nonssverify
128     #
129     # ---------------------------------------------------------------------------
130 davidg 2202 # use up to <parallelism> thread in parallel to retrieve and install CRLs
131     # This feature is likely NOT COMPATIBLE with the use of NSS databases for
132     # CRLs, due to thread contention issues
133     #
134     # parallelism = 5
135     #
136     # ---------------------------------------------------------------------------
137 davidg 1758 # wait up to <randomwait> seconds before doing anything at all
138     # useful for randoming the start time and download from cron across the world
139     #
140     # randomwait = 0
141     #
142     # ---------------------------------------------------------------------------
143     # logmode defined how the log and error messages are written out:
144     # direct - print them immediately, only the message
145     # qualified - print immediately, but prexif it with the message type
146     # "WARN", "ERROR", "VERBOSE(x)", or "DEBUG(x)"
147     # cache - save messages and dump them all at once at the end
148     # syslog - write the message to system with a decent severity level
149     # using facility <syslogfacility> (default: daemon)
150     #
151     # logmode = qualified
152     #
153     # ---------------------------------------------------------------------------
154     # wait at most <httptimeout> seconds for the retrieval of a data blob
155     # from a remote URL (http, https, or ftp). The timeout covers the whole
156     # retrieval process, incliding DNS resolution. Default is 120 seconds.
157     #
158     # httptimeout = 30
159     #
160     # ---------------------------------------------------------------------------
161     # httpproxy sets the url for the HTTP proxy to use (in perl LWP style). Or
162     # use ENV to pick up the settings from the environment
163     #
164     # http_proxy = http://localhost:8001/
165     #
166     # ---------------------------------------------------------------------------
167     # nowarnings suppresses the pritning and logging or any and all warnings (but
168     # not errors or verbose messages)
169     #
170     # nowarnings
171     #
172     # ---------------------------------------------------------------------------
173     # noerrors suppresses the pritning and logging or any and all errors (but
174     # not warnings or verbose messages)
175     #
176     # noerrors
177     #
178     # ---------------------------------------------------------------------------
179 davidg 2597 # noquiet ignores any "-q" options on the commandline and honours the
180     # verbosity set here even if -q is specified
181     #
182     # noquiet
183     #
184     # ---------------------------------------------------------------------------
185 davidg 1758 # agingtolerance sets the time in hours before retrieval warnings become
186     # errors for a CRL retrieval. If you also suppress warnings, you will
187     # prevent any annoying messages for a trust anchor for up to <hrs> hours.
188     # The IGTF currently recommends an aging tolerance of 24 hours, to allow
189     # for network disruptions and connectivity problems.
190     #
191     # agingtolerance = 24
192     #
193     # ---------------------------------------------------------------------------
194     # prepend_url URLs are tried first before using any URLs form the crl_url
195     # file or the .info crl_url (crl_url.0) fields
196     #
197     # prepend_url = file:///share/grid-security/certificates/@ALIAS@.r@R@
198     #
199     # ---------------------------------------------------------------------------
200     # postpend_url URLs are tried last, only if all URLs form the crl_url file
201     # or the .info crl_url (crl_url.0) fields have already failed or timed out
202     #
203     # postpend_url = http://dist.eugridpma.info/certificates/@ANCHORNAME@.r@R@
204     #
205     # ---------------------------------------------------------------------------
206     # path to openssl version to use
207     # openssl = /usr/bin/openssl
208     #
209     # ---------------------------------------------------------------------------
210     # path to use to find utilities like OpenSSL or crlutil. Default leaves it
211     # unmodified
212     #
213     # path = /bin:/usr/bin:/usr/ucb
214     #
215     # ---------------------------------------------------------------------------
216     # settings "backups" will trigger the generation of backup files (~ files)
217     # when writing CRLs to an output destination.
218     #
219     # backups
220     #
221     # ---------------------------------------------------------------------------
222     # stateless supresses any use of the state directory, even if it exists and
223     # is writable
224     #
225     # stateless
226     #
227     # ---------------------------------------------------------------------------
228     # override version or packager to influence the User-Agent header in http
229     # requests. But please leave them alone
230     # version = 3.0
231     # packager = EUGridPMA
232    
233     # ===========================================================================
234     # PER TRUST ANCHOR OVERRIDES
235     # ===========================================================================
236     #
237     # many settings can be overrules in a per-trust anchor section of the
238     # configuration file. For each trust anchor, only a SINGLE override
239     # section will be used. If a section names after the @ALIAS@ exists,
240     # it will take precedence over any section named after @ANCHORNAME@.
241     #
242     # To have a section work with either ".info" or ".crl_url" files, name it
243     # after the @ANCHORNAME@, since that one will be the same for both.
244     # Example: the DutchGrid CA "NIKHEF" can be either [NIKHEF] or [16da7552]
245     # (the latter is the commonly used file name), but using [16da7552] will
246     # result in the section being recognised in both cases
247     #
248     #
249     [16da7552]
250    
251     # ---------------------------------------------------------------------------
252     # agingtolerance for this trust anchor specifically. Use it if the retrieval
253     # for this CA is unreliable.
254     #
255     # agingtolerance = 12
256     #
257     # ---------------------------------------------------------------------------
258     # replace the list of CRL URLs for this CA and this CRL sequence number
259     # by a completely new set. E.g. from a different place, or a local
260     # cache, or ...
261     #
262     # crl_url.0 = http://ca.dutchgrid.nl/medium/cacrl.pem; file:///etc/grid-security/certificates/16da7552.r0
263     #
264     # ---------------------------------------------------------------------------
265     # To never hear of this CA again, suppress both errors and warnings:
266     #noerrors
267     #nowarnings
268     #
269     # ---------------------------------------------------------------------------
270 davidg 1878 # Do not process symlinked meta-data, preventing triple downloads with
271     # the new-format IGTF distribution before release 1.37 (1.33 up to and
272     # including 1.36 also symlinked the .info file to the hash names)
273     #nosymlinks
274     #
275     # ---------------------------------------------------------------------------
276 davidg 1758 # You can also (un) set the following on a per-trust anchor basis:
277     #
278     # (no)prepend_url (no)postpend_url (no)http_proxy (no)statedir --
279     # either remove a global setting, or put in a new setting with value
280     #
281     # (no)warnings (no)noerrors (no)nocache --
282     # override a global setting (no value possible)
283     #
284     # agingtolerance httptimeout nametemplate_der nametemplate_pem
285     # cadir catemplate
286     # set these to a local value (but they cannot be unset)
287     #
288     #
289     # Share and enjoy -- and remember that up to 7 verbosity levels are
290     # significant :-) "-vvvvvvvv" is a useful option ...
291     #
292     #

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28