Automic VaultAutomic Vault

brew

Install fetch-crl with Homebrew, apt, dnf, MacPorts

Retrieve certificate revocation lists (CRLs). Version 3.0.23 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install fetch-crl

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install fetch-crl

MacPorts ports tree · security/fetch-crl/Portfile · source: api.github.com

Linux

Debian aptverified · 92%
sudo apt install fetch-crl

Debian stable package indexes · fetch-crl · source: deb.debian.org

Fedora dnfverified · 92%
sudo dnf install fetch-crl

Fedora Rawhide package metadata · fetch-crl · source: dl.fedoraproject.org

overview

Package summary

Retrieve certificate revocation lists (CRLs)

Commands and aliases

  • clean-crl
  • fetch-crl

history

Project history and usage

fetch-crl is a small but operationally important PKI utility for retrieving certificate revocation lists for installed trust anchors. Its home is grid and research-computing infrastructure rather than end-user security tooling: it reads trust-anchor metadata, downloads CRLs, verifies and formats them, and installs them where OpenSSL, NSS, or other consumers can find them.

Project history

The fetch-crl3 line is a complete rewrite of earlier fetch-crl 1.x and 2.x tools. The project README credits the original fetch-crl to Fabio Hernandez for the EU DataGrid project, notes significant contributions from Steve Traylen, and identifies David Groep as the author of the version 3 rewrite at Nikhef.

Adoption history

Official Nikhef documentation frames fetch-crl around IGTF-style trust-anchor deployments and points users to the IGTF distribution area for packages. That places the tool in the long-running grid-PKI maintenance path where administrators need repeatable CRL refreshes for certificate authorities rather than an interactive certificate-management application.

How it is used

Typical use is unattended Unix administration: fetch-crl reads /etc/fetch-crl.conf by default, can merge drop-in files from /etc/fetch-crl.d, and defaults trust-anchor metadata to /etc/grid-security/certificates. Version 3 added stateful retrieval, HEAD requests, multiple output formats, proxy controls, retry/fallback URLs, per-trust-anchor suppression, and parallel retrieval.

Why package nerds care

For package maintainers, fetch-crl is interesting because it is glue code at the boundary between PKI policy, filesystem layout, init or cron scheduling, and library-specific certificate stores. Its version 3 rewrite removed dependencies on shell helpers such as wget and lynx, making the packaged behavior more self-contained and predictable.

Timeline

  • EU DataGrid era: Original fetch-crl developed by Fabio Hernandez.
  • 2010-2013: fetch-crl3 copyright period in the README for David Groep and Nikhef-related research-grid work.
  • 3.0: Complete Perl rewrite, preserving the role of earlier 1.x and 2.x utilities while adding stateful retrieval and multiple output formats.
  • 3.0.23: Official Nikhef documentation lists proxy handling improvements as the package changes in that documentation.

Related projects

  • fetch-crl is closely tied to IGTF trust-anchor metadata, OpenSSL hash-directory conventions, NSS databases, and grid-security certificate directories.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 12 platform targets.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
/etc/fetch-crl.conf/etc/fetch-crl.d/

executables

Installed executables

CommandKindExposureNote
clean-crlcliglobal executable
fetch-crlcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version3.0.23
manager updated
local dataok
upstreamnot checked
latest detectednot detected

https://wiki.nikhef.nl/grid/FetchCRL3

  • infoNo package-manager update timestamp was available.low confidence
  • infoRelease/tag comparison is only available for GitHub repositories.https://wiki.nikhef.nl/grid/FetchCRL3none confidence

install metadata

Package metadata

Package keybrew:fetch-crl
Version3.0.23
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/fetch-crl
Homepagehttps://wiki.nikhef.nl/grid/FetchCRL3
Repositoryhttps://github.com/dlgroep/fetch-crl
Upstream docshttps://github.com/dlgroep/fetch-crl#readme
LicenseApache-2.0
Source archivehttps://dist.eugridpma.info/distribution/util/fetch-crl3/fetch-crl-3.0.23.tar.gz
Uses from macOSperl
Bottleavailable (on arm64_big_sur, arm64_linux, arm64_monterey, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, big_sur, monterey, sonoma, ventura, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namefetch-crl
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

fetch-crl 3.0.23-1

Downloads Certificate Revocation Lists

https://wiki.nikhef.nl/grid/FetchCRL3

sudo apt install fetch-crl
  • Section: net
  • Architecture: all
  • 3 dependencies
  • normalized package name match
  • Matched by: Fetch Crl
Debian stable package indexes · deb.debian.org · Debian stable package indexes: fetch-crl from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Ubuntu apt95%

fetch-crl 3.0.22-2

Downloads Certificate Revocation Lists

https://wiki.nikhef.nl/grid/FetchCRL3

sudo apt install fetch-crl
  • Section: universe/net
  • Architecture: all
  • 3 dependencies
  • normalized package name match
  • Matched by: Fetch Crl
Ubuntu 24.04 LTS package indexes · archive.ubuntu.com · Ubuntu 24.04 LTS package indexes: fetch-crl from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz
dnf95%

fetch-crl 3.0.23-7.fc44

Downloads Certificate Revocation Lists

https://wiki.nikhef.nl/grid/FetchCRL3

sudo dnf install fetch-crl
  • License: Apache-2.0
  • Category: Unspecified
  • Architecture: noarch
  • Source Package: fetch-crl
  • 6 dependencies
  • 2 provides
  • normalized package name match
  • Matched by: Fetch Crl
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: fetch-crl from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
MacPorts95%

fetch-crl

sudo port install fetch-crl
  • normalized package name match
  • Matched by: Fetch Crl
MacPorts ports tree · api.github.com · MacPorts ports tree: security/fetch-crl/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment