https://bz.apache.org/bugzilla/show_bug.cgi?id=56148
--- Comment #26 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to logo from comment #25) > Indeed I use CRL to check client certs. > > And so far I have only the "old" CRL functionality provided by openssl. So it sounds like you are set, then. Are you using CRLs published by large CAs or are you maintaining your own CRL? I'd imagine the latter unless you are relying on a large CA for client certificate trust which seems ... unusual. But I suppose you could just trust everything from e.g. VeriSign and then also use their CRL. If I were doing this, I would have a curated trust store and simply remove the no-longer-trusted certificates from that trust store. If management of that became too cumbersome (e.g. too many certs to manage), I would set up an internal CA which signs certificates, and then you can go back to a very small CRL which only contains the certs you have revoked yourself. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
