macOS
brew install fetch-crllocal Homebrew formula metadata
sudo port install fetch-crlMacPorts ports tree · security/fetch-crl/Portfile · source: api.github.com
brew
Retrieve certificate revocation lists (CRLs). Version 3.0.23 via Homebrew; verified from local package data.
install
brew install fetch-crllocal Homebrew formula metadata
sudo port install fetch-crlMacPorts ports tree · security/fetch-crl/Portfile · source: api.github.com
sudo apt install fetch-crlDebian stable package indexes · fetch-crl · source: deb.debian.org
sudo dnf install fetch-crlFedora Rawhide package metadata · fetch-crl · source: dl.fedoraproject.org
overview
Retrieve certificate revocation lists (CRLs)
history
fetch-crl is a small but operationally important PKI utility for retrieving certificate revocation lists for installed trust anchors. Its home is grid and research-computing infrastructure rather than end-user security tooling: it reads trust-anchor metadata, downloads CRLs, verifies and formats them, and installs them where OpenSSL, NSS, or other consumers can find them.
The fetch-crl3 line is a complete rewrite of earlier fetch-crl 1.x and 2.x tools. The project README credits the original fetch-crl to Fabio Hernandez for the EU DataGrid project, notes significant contributions from Steve Traylen, and identifies David Groep as the author of the version 3 rewrite at Nikhef.
Official Nikhef documentation frames fetch-crl around IGTF-style trust-anchor deployments and points users to the IGTF distribution area for packages. That places the tool in the long-running grid-PKI maintenance path where administrators need repeatable CRL refreshes for certificate authorities rather than an interactive certificate-management application.
Typical use is unattended Unix administration: fetch-crl reads /etc/fetch-crl.conf by default, can merge drop-in files from /etc/fetch-crl.d, and defaults trust-anchor metadata to /etc/grid-security/certificates. Version 3 added stateful retrieval, HEAD requests, multiple output formats, proxy controls, retry/fallback URLs, per-trust-anchor suppression, and parallel retrieval.
For package maintainers, fetch-crl is interesting because it is glue code at the boundary between PKI policy, filesystem layout, init or cron scheduling, and library-specific certificate stores. Its version 3 rewrite removed dependencies on shell helpers such as wget and lynx, making the packaged behavior more self-contained and predictable.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
/etc/fetch-crl.conf/etc/fetch-crl.d/executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
clean-crl | cli | global executable | |
fetch-crl | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://wiki.nikhef.nl/grid/FetchCRL3
install metadata
| Package key | brew:fetch-crl |
|---|---|
| Version | 3.0.23 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/fetch-crl |
| Homepage | https://wiki.nikhef.nl/grid/FetchCRL3 |
| Repository | https://github.com/dlgroep/fetch-crl |
| Upstream docs | https://github.com/dlgroep/fetch-crl#readme |
| License | Apache-2.0 |
| Source archive | https://dist.eugridpma.info/distribution/util/fetch-crl3/fetch-crl-3.0.23.tar.gz |
| Uses from macOS | perl |
| Bottle | available (on arm64_big_sur, arm64_linux, arm64_monterey, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, big_sur, monterey, sonoma, ventura, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | fetch-crl |
| Version Scheme | 0 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
fetch-crl 3.0.23-1
Downloads Certificate Revocation Lists
https://wiki.nikhef.nl/grid/FetchCRL3
sudo apt install fetch-crlfetch-crl 3.0.22-2
Downloads Certificate Revocation Lists
https://wiki.nikhef.nl/grid/FetchCRL3
sudo apt install fetch-crlfetch-crl 3.0.23-7.fc44
Downloads Certificate Revocation Lists
https://wiki.nikhef.nl/grid/FetchCRL3
sudo dnf install fetch-crlfetch-crl
sudo port install fetch-crlsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.