crlrefresh - update and maintain system-wide CRL cache crlrefresh command [command-args] [options] crlrefresh r [options] crlrefresh f URL [options] crlrefresh F URI [options] r Refresh the entire CRL cache f Fetch a CRL from specified URL F Fetch a Certificate from specified URL Refresh and update the cache of Certificate Revocation Lists (CRLs), optionally used for verifying X.509 certificates, Background: CRLs have a validity from one day upwards. crlrefresh fetches those which are or will soon be, invalid or specific CRLs and certificates from the network;

The URL specified in f and F t be http:" or "ldap:". Typically run by cron.
s=stale_period Specify the time in days which, having elapsed after a CRL is expired, that the CRL is deleted fromt he CRL cache. The default is 10 days.
o=expire_overlap Specify the time in seconds prior to a CRL's expiration when a refresh action will attempt to replace the CRL with a fresh copy.
p Purge all entries from the CRL cache, ensuring refresh with fresh CRLs. Normally, CRLs whose expiration date is more than expire_overlap past the current time are not refreshed.
f Perform full cryptographic verification of all CRLs in the CRL cache. Normally this step is only performed when a CRL is actually used to validate a certificate.
k=keychain_name The full path to the CRL cache (which is always a keychain). The default is /var/db/crls/crl- cache.db.
v Provide verbose output during operation.
F=output_file_name When fetching a CRL or certificate, specifies the destination to which the fetched entity will be written. If this is not specified then the fetched entity is sent to stdout.
n When fetching a CRL, this inhibits the addition of the fetched CRL to the system CRL cache.
v Execute in verbose mode.


/var/db/crls/crlcache.db System CRL cache database