crlrefresh - update and maintain system-wide CRL cache
crlrefresh command [command-args] [options] crlrefresh r [options] crlrefresh f URL [options] crlrefresh F URI [options]
r Refresh the entire CRL cache
f Fetch a CRL from specified URL
F Fetch a Certificate from specified URL
Refresh and update the cache of Certificate Revocation Lists (CRLs), optionally used
for verifying X.509 certificates,
Background:
CRLs have a validity from one day upwards.
crlrefresh fetches those which are or will soon be, invalid or specific CRLs and certificates from the network;
The URL specified in f and F t be http:" or "ldap:".
Typically run by cron.
s=stale_period
Specify the time in days which, having elapsed after a CRL is expired, that the CRL is deleted
fromt he CRL cache. The default is 10 days.
| o=expire_overlap
Specify the time in seconds prior to a CRL's expiration when a refresh action will attempt to
replace the CRL with a fresh copy.
| p Purge all entries from the CRL cache, ensuring refresh with fresh CRLs. Normally, CRLs whose
expiration date is more than expire_overlap past the current time are not refreshed.
| f Perform full cryptographic verification of all CRLs in the CRL cache. Normally this step is
only performed when a CRL is actually used to validate a certificate.
| k=keychain_name
The full path to the CRL cache (which is always a keychain). The default is /var/db/crls/crl-
cache.db.
| v Provide verbose output during operation.
| F=output_file_name
When fetching a CRL or certificate, specifies the destination to which the fetched entity will
be written. If this is not specified then the fetched entity is sent to stdout.
| n When fetching a CRL, this inhibits the addition of the fetched CRL to the system CRL cache.
| v Execute in verbose mode.
| | | | | | | | | |
FILES
/var/db/crls/crlcache.db
System CRL cache database
SEE ALSO
cron(8)