On Wed, 9 Apr 2014 09:38:29 -0400 David Arroyo <[email protected]> wrote > This question may be better asked in the NSS mailing list. Feel > free to let me know if that is the case. > > I'm building a service based around OpenLDAP and SASL EXTERNAL > authentication using client certificates. One of requirements is > that we have the ability to revoke client certificates. I've > found that the only way to revoke a client certificate using an > NSS-linked OpenLDAP (RHEL's default 2.4.23) is to: > > - Revoke the certificate > - Import the CRL into the db referenced by > olcTLSCACertificatePath > - restart slapd > > Is there a way to update the CRL without restarting slapd? And > is there any way to make slapd request the URL referenced in the > client cert's nsCaRevocationUrl attribute? If the answer to this > is "use OpenSSL", that's a fine answer.
I'm also interested in CRL checking without having to reload a server configuration. I'm using a custom OpenLDAP build linked against OpenSSL though. Ciao, Michael.
