Steve Larson wrote:
I am wanting to get CRL Distribution Points working within my client certs.
Using Apache I am able to get certificate revocation working using the SSLCARevocationFile directive (using a local file).
Using a http://www.webserver.com/crlfile.crl within the cert (CRL Distribution Point) it doesn't work. I have put the crl on a remote web server. Watching the logs on the remote server I do not see the crl being accessed.
Any troubleshooting tips?
You can't do that - Apache can only look at local files.
We use an rsync script to replicate CRLs out to "CRL Web servers" and from there push copies out to Apache servers that need them. Also note that Apache doesn't notice that the CRL has been updated - so you need to HUP or restart Apache to reload it.
So far the only applications I've found that support reading remote CRLs are Web browsers (although IE/Outlook isn't reliable at that) and Cisco's VPN 3000 concentrator series. That isn't a definitive list - just what I've found to work well.
If you want to "pull" CRL updates, you'll need to write a script to do that. Actually, either way you'll need a script.
BTW: Does anyone know how IIS handles CRLs? As far as I'm aware, it still doesn't?
-- Cheers
Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
