Hi,
Hello, all. Perhaps this reflects my ignorance of CRLs but, is
there a
way to generate a report of soon expiring CRLs the way there is of
generating a list of soon expiring certificates in OpenCA? Thanks -
John
no, there isn't. The CRL is (currently) generated manually and there
is no means of warning you of expiring CRLs.
What I did in my project here was to set up a monitoring script that
periodically fetches the published CRL (from LDAP via ldapsearch or
from HTTP server via wget), parses the CRL using 'openssl crl -
nextupdate ...' and verifying if the remaining validity is greater
than a certain threshold. Raise a monitoring alert if it isn't.
Not too difficult to implement using shell scripting or Perl.
This approach has the advantage that you don't rely on OpenCA to
notice something is wrong, this way you will catch problems in the
distribution infrastructure as well.
cheers
Martin
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
