> After digging around, I think I figured this out. I have to add a > crlDistributionPoints section to my openSSL configuration file and > regenerate my CA that I am using. Does that sound correct?
You would need to do that if you are not presently issuing certs with the crlDistributionPoints extension field and you want to use CRLDistributionPointRevocationChecker. There is another component that supports specifying a static URI to the CRL endpoint, ResourceCRLRevocationChecker. In either case I had assumed that you would be using certs issued from a PKI that has some kind of support for revocation, either CRL or OCSP. I would say that requirement holds generally. If you're developing a PKI in tandem with rolling out X.509 support in CAS, then you should certainly consider a number of policy concerns, among them revocation. We have an entire team dedicated to our PKI; it's a lot of work, largely in crafting policy at a high level and implementing it in software/systems. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
