Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

crlrefresh(1) [osx man page]

CRLREFRESH(1)						      General Commands Manual						     CRLREFRESH(1)

crlrefresh - update and maintain system-wide CRL cache SYNOPSIS
crlrefresh command [command-args] [options] crlrefresh r [options] crlrefresh f URL [options] crlrefresh F URI [options] CRLREFRESH COMMAND SUMMARY
r Refresh the entire CRL cache f Fetch a CRL from specified URL F Fetch a Certificate from specified URL DESCRIPTION
Crlrefresh is a UNIX command-line program which is used to refresh and update the contents of the system-wide cache of Certificate Revoca- tion Lists (CRLs). CRLs, which are optionally used as part of the procedure for verifying X.509 certificates, are typically fetched from the network using a URL which appears in (some) certificates. Caching CRLs is an optimization to avoid costs of network latency and/or unavailability. Each CRL has a finite validity time which is specified in the CRL itself. This validity time may be as short as one day, or it may be much longer. Crlrefresh examines the contents of the CRL cache and updates - via network fetch - all CRLs which are currently, or will soon be, invalid. Crlrefresh is also use to fetch specific CRLs and certificates from the network; CRLs fetched via crlrefresh will be added to the CRL cache as well as provided to the specified output file (or to stdout if no output file is provided). The URL specified in the f and F commands must have schema "http:" or "ldap:". Typically, crlrefresh would be run on a regular basis via one of the configu- ration files used by the cron(8) program. CRLREFRESH OPTION SUMMARY
s=stale_period Specify the time in days which, having elapsed after a CRL is expired, that the CRL is deleted fromt he CRL cache. The default is 10 days. o=expire_overlap Specify the time in seconds prior to a CRL's expiration when a refresh action will attempt to replace the CRL with a fresh copy. p Purge all entries from the CRL cache, ensuring refresh with fresh CRLs. Normally, CRLs whose expiration date is more than expire_overlap past the current time are not refreshed. f Perform full cryptographic verification of all CRLs in the CRL cache. Normally this step is only performed when a CRL is actually used to validate a certificate. k=keychain_name The full path to the CRL cache (which is always a keychain). The default is /var/db/crls/crlcache.db. v Provide verbose output during operation. F=output_file_name When fetching a CRL or certificate, specifies the destination to which the fetched entity will be written. If this is not specified then the fetched entity is sent to stdout. n When fetching a CRL, this inhibits the addition of the fetched CRL to the system CRL cache. v Execute in verbose mode. FILES
/var/db/crls/crlcache.db System CRL cache database SEE ALSO
cron(8) Apple Computer, Inc. April 13, 2004 CRLREFRESH(1)

Check Out this Related Man Page

CRL(1)								      OpenSSL								    CRL(1)

crl - CRL utility LIBRARY
libcrypto, -lcrypto SYNOPSIS
openssl crl [-inform PEM|DER] [-outform PEM|DER] [-text] [-in filename] [-out filename] [-nameopt option] [-noout] [-hash] [-issuer] [-lastupdate] [-nextupdate] [-CAfile file] [-CApath dir] DESCRIPTION
The crl command processes CRL files in DER or PEM format. COMMAND OPTIONS
-inform DER|PEM This specifies the input format. DER format is DER encoded CRL structure. PEM (the default) is a base64 encoded version of the DER form with header and footer lines. -outform DER|PEM This specifies the output format, the options have the same meaning as the -inform option. -in filename This specifies the input filename to read from or standard input if this option is not specified. -out filename specifies the output filename to write to or standard output by default. -text print out the CRL in text form. -nameopt option option which determines how the subject or issuer names are displayed. See the description of -nameopt in openssl_x509(1). -noout don't output the encoded version of the CRL. -hash output a hash of the issuer name. This can be use to lookup CRLs in a directory by issuer name. -hash_old outputs the "hash" of the CRL issuer name using the older algorithm as used by OpenSSL versions before 1.0.0. -issuer output the issuer name. -lastupdate output the lastUpdate field. -nextupdate output the nextUpdate field. -CAfile file verify the signature on a CRL by looking up the issuing certificate in file -CApath dir verify the signature on a CRL by looking up the issuing certificate in dir. This directory must be a standard certificate directory: that is a hash of each subject name (using x509 -hash) should be linked to each certificate. NOTES
The PEM CRL format uses the header and footer lines: -----BEGIN X509 CRL----- -----END X509 CRL----- EXAMPLES
Convert a CRL file from PEM to DER: openssl crl -in crl.pem -outform DER -out crl.der Output the text form of a DER encoded certificate: openssl crl -in crl.der -text -noout BUGS
Ideally it should be possible to create a CRL using appropriate options and files too. SEE ALSO
openssl_crl2pkcs7(1), openssl_ca(1), openssl_x509(1) 1.0.1i 2014-08-10 CRL(1)
Man Page