| 1 |
davidg |
1758 |
# |
| 2 |
|
|
# EXAMPLE configuration file for Fetch-crl3 |
| 3 |
|
|
# @(#)$Id$ |
| 4 |
|
|
# |
| 5 |
|
|
# configuration file fetch-crl3 |
| 6 |
|
|
# use SEMICOLON (;) or \001 (^A) as list separators in values |
| 7 |
|
|
# |
| 8 |
|
|
# --------------------------------------------------------------------------- |
| 9 |
davidg |
2084 |
# cfgdir sets the directory where subordinate configuration files are |
| 10 |
|
|
# found. These files are read in addition to the main config file. |
| 11 |
|
|
# The default directory is /etc/fetch-crl.d/ and is used by default, so |
| 12 |
|
|
# to suppress this behaviour set this to the empty value "" |
| 13 |
|
|
# |
| 14 |
|
|
# cfgdir = /etc/fetch-crl.d |
| 15 |
|
|
# |
| 16 |
|
|
# --------------------------------------------------------------------------- |
| 17 |
davidg |
1758 |
# infoset set the location where the meta-data files (.info or .crl_url) |
| 18 |
|
|
# are help by default. All trust anchors listed there are processes, so |
| 19 |
|
|
# to suppress this behaviour set this to the empty value "" |
| 20 |
|
|
# |
| 21 |
|
|
# infodir = /etc/grid-security/certificates |
| 22 |
|
|
# |
| 23 |
|
|
# --------------------------------------------------------------------------- |
| 24 |
|
|
# cadir sets the location where the trust anchors themselves are found, as |
| 25 |
|
|
# PEM files, to be used in the CRL verification by openssl. They are usually |
| 26 |
|
|
# names after the trust anchor proper name ("alias.0"), or after the filename |
| 27 |
|
|
# of the trust anchor, the basename of the meta-data file name ("hash.0"). |
| 28 |
|
|
# It defaults to infodir |
| 29 |
|
|
# |
| 30 |
|
|
# cadir = /etc/grid-security/certificates |
| 31 |
|
|
# |
| 32 |
|
|
# --------------------------------------------------------------------------- |
| 33 |
|
|
# output sets the location where the retrieved CRLs are written by default. |
| 34 |
|
|
# It can be overridden on a per-output-format basis by setting the |
| 35 |
|
|
# "output_<fmt>" options. It should point to a directory (even for the |
| 36 |
|
|
# NSS output format. It defaults to infodir |
| 37 |
|
|
# |
| 38 |
|
|
# output = /etc/grid-security/certificates |
| 39 |
|
|
# |
| 40 |
|
|
# --------------------------------------------------------------------------- |
| 41 |
|
|
# statedir points to the directory where per-CRL state files are kept. These |
| 42 |
|
|
# state files record the retrieval time, last-retrieved (modification) time, |
| 43 |
|
|
# best-before date and the (cached) content of the CRL. For the purposes of |
| 44 |
|
|
# the CRL state, all CRL URLs for a particular trust anchor index are |
| 45 |
|
|
# considered equal. |
| 46 |
|
|
# If it is unset, no state is preserved, but the last-retrieved time is |
| 47 |
|
|
# guessed from the modification time. If statedir does not exist, or is |
| 48 |
|
|
# not writable, it is not used but silently ignored. Writeability is |
| 49 |
|
|
# determined by perl's "-w" test. |
| 50 |
|
|
# It defaults to /var/cache/fetch-crl |
| 51 |
|
|
# |
| 52 |
|
|
# statedir = /var/cache/fetch-crl |
| 53 |
|
|
# |
| 54 |
|
|
# --------------------------------------------------------------------------- |
| 55 |
|
|
# formats lists one or more ways to write out the CRL to the output |
| 56 |
|
|
# directories. It can be one or more of "openssl", "der", "pem", or "nss" |
| 57 |
|
|
# in a comma-separated list. |
| 58 |
|
|
# * the "openssl" format writes out "hash.rX" files, with <hash> being the |
| 59 |
|
|
# first 4 bytes of the digest of the subject DN, and "X" a sequence number |
| 60 |
|
|
# of the CRL starting at 0 (".r0"). When used with OpenSSL version 1.0.0 |
| 61 |
|
|
# or above, it can write out the CRL with two possible hash algorithms at |
| 62 |
|
|
# the same time: the 'old' MD5 of the binary subject DN representation, or |
| 63 |
|
|
# the 'new' SHA1 based digest of the canonical representation. Whether |
| 64 |
|
|
# one or two hashes are written is determined by the "opensslmode" option. |
| 65 |
|
|
# * "pem" writes out the CRL in PEM (RFC1421) format, to the file named |
| 66 |
|
|
# after the "nametemplate_pem" setting (default: @ANCHORNAME@.@R@.crl.pem) |
| 67 |
|
|
# in the output or output_pem directory |
| 68 |
|
|
# * "der" does the same in DER binary format, to a file names |
| 69 |
|
|
# after the "nametemplate_der" setting (default: @ANCHORNAME@.@R@.crl) |
| 70 |
|
|
# in the output or output_der directory |
| 71 |
|
|
# * "nss" adds (or replaces) the named CRL in the NSS database in |
| 72 |
|
|
# <output>/<nssdbprefix>cert8.db, using the Mozilla crlutil tool |
| 73 |
|
|
# |
| 74 |
|
|
# formats = openssl |
| 75 |
|
|
# |
| 76 |
|
|
# --------------------------------------------------------------------------- |
| 77 |
|
|
# specialised output directories |
| 78 |
|
|
# |
| 79 |
|
|
# output_pem = /etc/pki/tls/certs |
| 80 |
|
|
# output_der = /var/tmp |
| 81 |
|
|
# output_nss = /etc/pki/nssdb |
| 82 |
|
|
# |
| 83 |
|
|
# --------------------------------------------------------------------------- |
| 84 |
|
|
# name templates are used to construct the file name of a CRL for installation |
| 85 |
|
|
# based on the meta-data of the CA. It uses token replacement to construct |
| 86 |
|
|
# a specific and unique filename. The tokens recognised are the same as those |
| 87 |
|
|
# of the pre- and postpend URLs: |
| 88 |
|
|
# @ANCHORNAME@ base name of the trust anchor meta-data file name |
| 89 |
|
|
# @ALIAS@ alias name of the trust anchor from the info file (defaults |
| 90 |
|
|
# to the @ANCHORNAME@) |
| 91 |
|
|
# @R@ the sequence number of the CRL for this trust anchor |
| 92 |
|
|
# |
| 93 |
|
|
# nametemplate_der = @ANCHORNAME@.@R@.crl |
| 94 |
|
|
# nametemplate_pem = @ANCHORNAME@.@R@.crl.pem |
| 95 |
|
|
# |
| 96 |
|
|
# --------------------------------------------------------------------------- |
| 97 |
|
|
# catemplate has a (list of) potential names of the certificate of the |
| 98 |
|
|
# trust anchor -- it is used to find the CA data for verifying the |
| 99 |
|
|
# retrieved CRLs. Even if you only use NSS databases, you need a directory |
| 100 |
|
|
# with PEM formatted certificates of the issuing CAs. |
| 101 |
|
|
# |
| 102 |
|
|
# catemplate = @ALIAS@.pem; @ALIAS@.@R@; @ANCHORNAME@.@R@ |
| 103 |
|
|
# |
| 104 |
|
|
# --------------------------------------------------------------------------- |
| 105 |
|
|
# opensslmode is used if the openssl format for output is specified and also |
| 106 |
|
|
# OpenSSL version 1.0.0 or higher are used. If so, you can have the CRL data |
| 107 |
|
|
# be written out twice, once with the 'old' and once with the 'new' hash style |
| 108 |
|
|
# Default is dual mode, so if OpenSSL 1.x is present, by default TWO files |
| 109 |
|
|
# are written |
| 110 |
|
|
# |
| 111 |
|
|
# opensslmode = dual |
| 112 |
|
|
# opensslmode = single |
| 113 |
|
|
# |
| 114 |
|
|
# --------------------------------------------------------------------------- |
| 115 |
|
|
# nonssverify disables the checking of imported CRLs into an NSS database. |
| 116 |
|
|
# so that you can create a database withonly CRLs, and no CAs. It passes the |
| 117 |
|
|
# "-B" option to the crlutil tool |
| 118 |
|
|
# |
| 119 |
|
|
# nonssverify |
| 120 |
|
|
# |
| 121 |
|
|
# --------------------------------------------------------------------------- |
| 122 |
|
|
# wait up to <randomwait> seconds before doing anything at all |
| 123 |
|
|
# useful for randoming the start time and download from cron across the world |
| 124 |
|
|
# |
| 125 |
|
|
# randomwait = 0 |
| 126 |
|
|
# |
| 127 |
|
|
# --------------------------------------------------------------------------- |
| 128 |
|
|
# logmode defined how the log and error messages are written out: |
| 129 |
|
|
# direct - print them immediately, only the message |
| 130 |
|
|
# qualified - print immediately, but prexif it with the message type |
| 131 |
|
|
# "WARN", "ERROR", "VERBOSE(x)", or "DEBUG(x)" |
| 132 |
|
|
# cache - save messages and dump them all at once at the end |
| 133 |
|
|
# syslog - write the message to system with a decent severity level |
| 134 |
|
|
# using facility <syslogfacility> (default: daemon) |
| 135 |
|
|
# |
| 136 |
|
|
# logmode = qualified |
| 137 |
|
|
# |
| 138 |
|
|
# --------------------------------------------------------------------------- |
| 139 |
|
|
# wait at most <httptimeout> seconds for the retrieval of a data blob |
| 140 |
|
|
# from a remote URL (http, https, or ftp). The timeout covers the whole |
| 141 |
|
|
# retrieval process, incliding DNS resolution. Default is 120 seconds. |
| 142 |
|
|
# |
| 143 |
|
|
# httptimeout = 30 |
| 144 |
|
|
# |
| 145 |
|
|
# --------------------------------------------------------------------------- |
| 146 |
|
|
# httpproxy sets the url for the HTTP proxy to use (in perl LWP style). Or |
| 147 |
|
|
# use ENV to pick up the settings from the environment |
| 148 |
|
|
# |
| 149 |
|
|
# http_proxy = http://localhost:8001/ |
| 150 |
|
|
# |
| 151 |
|
|
# --------------------------------------------------------------------------- |
| 152 |
|
|
# nowarnings suppresses the pritning and logging or any and all warnings (but |
| 153 |
|
|
# not errors or verbose messages) |
| 154 |
|
|
# |
| 155 |
|
|
# nowarnings |
| 156 |
|
|
# |
| 157 |
|
|
# --------------------------------------------------------------------------- |
| 158 |
|
|
# noerrors suppresses the pritning and logging or any and all errors (but |
| 159 |
|
|
# not warnings or verbose messages) |
| 160 |
|
|
# |
| 161 |
|
|
# noerrors |
| 162 |
|
|
# |
| 163 |
|
|
# --------------------------------------------------------------------------- |
| 164 |
|
|
# agingtolerance sets the time in hours before retrieval warnings become |
| 165 |
|
|
# errors for a CRL retrieval. If you also suppress warnings, you will |
| 166 |
|
|
# prevent any annoying messages for a trust anchor for up to <hrs> hours. |
| 167 |
|
|
# The IGTF currently recommends an aging tolerance of 24 hours, to allow |
| 168 |
|
|
# for network disruptions and connectivity problems. |
| 169 |
|
|
# |
| 170 |
|
|
# agingtolerance = 24 |
| 171 |
|
|
# |
| 172 |
|
|
# --------------------------------------------------------------------------- |
| 173 |
|
|
# prepend_url URLs are tried first before using any URLs form the crl_url |
| 174 |
|
|
# file or the .info crl_url (crl_url.0) fields |
| 175 |
|
|
# |
| 176 |
|
|
# prepend_url = file:///share/grid-security/certificates/@ALIAS@.r@R@ |
| 177 |
|
|
# |
| 178 |
|
|
# --------------------------------------------------------------------------- |
| 179 |
|
|
# postpend_url URLs are tried last, only if all URLs form the crl_url file |
| 180 |
|
|
# or the .info crl_url (crl_url.0) fields have already failed or timed out |
| 181 |
|
|
# |
| 182 |
|
|
# postpend_url = http://dist.eugridpma.info/certificates/@ANCHORNAME@.r@R@ |
| 183 |
|
|
# |
| 184 |
|
|
# --------------------------------------------------------------------------- |
| 185 |
|
|
# path to openssl version to use |
| 186 |
|
|
# openssl = /usr/bin/openssl |
| 187 |
|
|
# |
| 188 |
|
|
# --------------------------------------------------------------------------- |
| 189 |
|
|
# path to use to find utilities like OpenSSL or crlutil. Default leaves it |
| 190 |
|
|
# unmodified |
| 191 |
|
|
# |
| 192 |
|
|
# path = /bin:/usr/bin:/usr/ucb |
| 193 |
|
|
# |
| 194 |
|
|
# --------------------------------------------------------------------------- |
| 195 |
|
|
# settings "backups" will trigger the generation of backup files (~ files) |
| 196 |
|
|
# when writing CRLs to an output destination. |
| 197 |
|
|
# |
| 198 |
|
|
# backups |
| 199 |
|
|
# |
| 200 |
|
|
# --------------------------------------------------------------------------- |
| 201 |
|
|
# stateless supresses any use of the state directory, even if it exists and |
| 202 |
|
|
# is writable |
| 203 |
|
|
# |
| 204 |
|
|
# stateless |
| 205 |
|
|
# |
| 206 |
|
|
# --------------------------------------------------------------------------- |
| 207 |
|
|
# override version or packager to influence the User-Agent header in http |
| 208 |
|
|
# requests. But please leave them alone |
| 209 |
|
|
# version = 3.0 |
| 210 |
|
|
# packager = EUGridPMA |
| 211 |
|
|
|
| 212 |
|
|
# =========================================================================== |
| 213 |
|
|
# PER TRUST ANCHOR OVERRIDES |
| 214 |
|
|
# =========================================================================== |
| 215 |
|
|
# |
| 216 |
|
|
# many settings can be overrules in a per-trust anchor section of the |
| 217 |
|
|
# configuration file. For each trust anchor, only a SINGLE override |
| 218 |
|
|
# section will be used. If a section names after the @ALIAS@ exists, |
| 219 |
|
|
# it will take precedence over any section named after @ANCHORNAME@. |
| 220 |
|
|
# |
| 221 |
|
|
# To have a section work with either ".info" or ".crl_url" files, name it |
| 222 |
|
|
# after the @ANCHORNAME@, since that one will be the same for both. |
| 223 |
|
|
# Example: the DutchGrid CA "NIKHEF" can be either [NIKHEF] or [16da7552] |
| 224 |
|
|
# (the latter is the commonly used file name), but using [16da7552] will |
| 225 |
|
|
# result in the section being recognised in both cases |
| 226 |
|
|
# |
| 227 |
|
|
# |
| 228 |
|
|
[16da7552] |
| 229 |
|
|
|
| 230 |
|
|
# --------------------------------------------------------------------------- |
| 231 |
|
|
# agingtolerance for this trust anchor specifically. Use it if the retrieval |
| 232 |
|
|
# for this CA is unreliable. |
| 233 |
|
|
# |
| 234 |
|
|
# agingtolerance = 12 |
| 235 |
|
|
# |
| 236 |
|
|
# --------------------------------------------------------------------------- |
| 237 |
|
|
# replace the list of CRL URLs for this CA and this CRL sequence number |
| 238 |
|
|
# by a completely new set. E.g. from a different place, or a local |
| 239 |
|
|
# cache, or ... |
| 240 |
|
|
# |
| 241 |
|
|
# crl_url.0 = http://ca.dutchgrid.nl/medium/cacrl.pem; file:///etc/grid-security/certificates/16da7552.r0 |
| 242 |
|
|
# |
| 243 |
|
|
# --------------------------------------------------------------------------- |
| 244 |
|
|
# To never hear of this CA again, suppress both errors and warnings: |
| 245 |
|
|
#noerrors |
| 246 |
|
|
#nowarnings |
| 247 |
|
|
# |
| 248 |
|
|
# --------------------------------------------------------------------------- |
| 249 |
davidg |
1878 |
# Do not process symlinked meta-data, preventing triple downloads with |
| 250 |
|
|
# the new-format IGTF distribution before release 1.37 (1.33 up to and |
| 251 |
|
|
# including 1.36 also symlinked the .info file to the hash names) |
| 252 |
|
|
#nosymlinks |
| 253 |
|
|
# |
| 254 |
|
|
# --------------------------------------------------------------------------- |
| 255 |
davidg |
1758 |
# You can also (un) set the following on a per-trust anchor basis: |
| 256 |
|
|
# |
| 257 |
|
|
# (no)prepend_url (no)postpend_url (no)http_proxy (no)statedir -- |
| 258 |
|
|
# either remove a global setting, or put in a new setting with value |
| 259 |
|
|
# |
| 260 |
|
|
# (no)warnings (no)noerrors (no)nocache -- |
| 261 |
|
|
# override a global setting (no value possible) |
| 262 |
|
|
# |
| 263 |
|
|
# agingtolerance httptimeout nametemplate_der nametemplate_pem |
| 264 |
|
|
# cadir catemplate |
| 265 |
|
|
# set these to a local value (but they cannot be unset) |
| 266 |
|
|
# |
| 267 |
|
|
# |
| 268 |
|
|
# Share and enjoy -- and remember that up to 7 verbosity levels are |
| 269 |
|
|
# significant :-) "-vvvvvvvv" is a useful option ... |
| 270 |
|
|
# |
| 271 |
|
|
# |
Parent Directory
| 
Revision Log