Nuno Ponte a écrit : > Hi, > > We are running a CA that has thousands of revoked certificates, > which leads to CRLs of several MBytes. > > On the next nenewal of the CA, we are thinking of partitioning the > CRLs at each X number of issued certificates. The issued certificates > will have different CRL Distribution Points (CDP) according to the > partitions they are assigned. > > For example, for X=100, from certificate 1 to certificate 100, the > CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101 > to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on. > CDP is embedded when creating certificate, so it might be possible (client side).
Server side, you can stack as many crl as you want into either a single file, or a directory (using hashing) and point to it into Apache. But you may apply a patch for multiple identical DN handling. http://marc.info/?l=apache-httpd-dev&m=120350484626015&q=p3 Why didn't you implement OCSP into Apache ? http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch (I didn't test it anyway) -- La Joconde ne sourit pas devant Chuck Norris. Gilles CUESTA - Logiciels Libres 69139920
signature.asc
Description: OpenPGP digital signature