Loading & processing server certificates, keys, trust chains, and CRLs Request time doesn't make sense to me, unless it's implemented as a "one-time cost" for the first use of a dynamic virtual host. Are these virtual hosts truly dynamic? It seems that there would have to be some a priori knowledge of the possible servers you might be hosting. Are you in fact proposing some mechanism whereby you provide a path generator as in "certs/%s/server.crt" where Apache will look for the certificates [and other files] defining the PKI environment for each dynamic virtual host, and that further these files might not have been present on the system at httpd's startup?
Warmly, --Pete > -----Original Message----- > From: Adam Hasselbalch Hansen [mailto:[email protected]] > Sent: Tuesday, May 25, 2010 7:06 AM > To: [email protected] > Subject: Re: mod_ssl, SNI and dynamic virtual hosts > So what I'm attempting to get feedback on is whether or not > it will be possible or even feasible to move certificate > loading (as in the actual reading of certificate files) from > startup time to request time, and if so, what caveats if any > this may lead to.
