Sorry for my bad english
I try to describe as below:
config client certifact verfiy
at 1st ,build a config file maybe named ca.conf or combine with pound.conf
[CA]
name =
............
..........
the certifacte file name
verify=
#0 - no crl
#1 - use a static crl file
#2 - use a URL to retrieve CRL
URL=http://210.74.41.60/crl/CRLFile.crl
#3 -directory based CDP (crl distibute point)
File =
# if verify=1,use this static file
URL=
# if verify=2 ,use this to specify a url to retriev CRLs,for exmples
URL=http://210.74.41.60/crl/CRLFile.crl
can refer to http://www.openca.org/ocspd/
LDAP=
# if verify=3 ,use certifacte CDP and this ldp address to retrieve the CRLs
,LDAP=210.74.41.60:389
# for CDP based CRL retrieve ,you can refer to
http://eaptls.spe.net/
baseDN =
# for examples
# O=CFCA OCA C=CN
crlupdateinterval=
CDPfilename=
#CDPfile is a textfile ,it contains all CDPs of this CA
# CN=CRL1
# CN=CRL2
......
#CN=CRL1000
#
[END]
when systen running ,download all CRLs based on CDP( baseDN and CDP filename )
and user specify LDAP server ip:port.
while Client ask for verify
exact the CDP from client certs
look for current downloaded crl
if it is good, use it to verify
if it expired or donot exist , try to download it
thanks and best regards
eric dai
