On Sat, Apr 01, 2017 at 07:53:05PM +1030, Jack Burton wrote: > One common example of that happening is when a cert gets revoked because > its private key has been lost/stolen and the user needs a new cert > associated with the same identity. An even more common example is when > a cert expires & gets renewed.
If you are using certificate revocation, I think you should do the check as early as possible. That means in httpd in this case. Nothing later in the stack should have to care about expired or revoked certificates -- it just adds complexity and the danger of someone forgetting about it. Which mechanisms to support (i.e. CRLs or OCSP) is a completely different topic. Joerg
