Re: CRL Distribution Point

Mon, 27 Dec 2004 06:10:20 -0800

Thanks Jason, good info.
 
So when the distributed CRL is installed within a browser, the browser is what goes out and retrieves the CRL, and not the web server. Is that correct? And that doesn't sound reliable either.
 
Regarding IIS, when I connect to an IIS machine, which happens to also be the certificate server, it works fine.  I have tested remote CRL's on IIS yet.
 
Thanks.

Jason Haar <[EMAIL PROTECTED]> wrote:
Steve Larson wrote:

> I am wanting to get CRL Distribution Points working within my client
> certs.
>
> Using Apache I am able to get certificate revocation working using the
> SSLCARevocationFile directive (using a local file).
>
> Using a http://www.webserver.com/crlfile.crl within the cert (CRL
> Distribution Point) it doesn't work. I have put the crl on a remote
> web server. Watching the logs on the remote server I do not see the
> crl being accessed.
>
> Any troubleshooting tips?
>

You can't do that - Apache can only look at local files.

We use an rsync script to replicate CRLs out to "CRL Web servers" and
from there push copies out to Apache servers that need them. Also note
that Apache doesn't notice that the CRL has been updated - so you need
to HUP or restart Apache to reload it.

So far the only applications I've found that support reading remote CRLs
are Web browsers (although IE/Outlook isn't reliable at that) and
Cisco's VPN 3000 concentrator series. That isn't a definitive list -
just what I've found to work well.

If you want to "pull" CRL updates, you'll need to write a script to do
that. Actually, either way you'll need a script.

BTW: Does anyone know how IIS handles CRLs? As far as I'm aware, it
still doesn't?

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]

Do you Yahoo!?
Yahoo! Mail - now with 250MB free storage. Learn more.

Reply via email to