I have a ssl site and I am wondering how apache / mod_ssl handle crl's it seems like I have to grab the crl and place it into a file for apache / mod_ssl to read from there.My issue crl is for 1 day Last Update: Nov 17 13:21:32 2011 GMT Next Update: Nov 18 13:21:32 2011 GMTSo there is a point of time when it is not going to be valid...... how do other people handle this and does a sig hup reload the crl or do I need to restart apache ?
I simply wrote a script that periodically downloads the new CRL, puts it in place and restarts Apache. In my case the CRL updates are issued at 'random' times so my script reads the next update time from the CRL and schedules itself to run a few minutes before that. If your CRL is updated at fixed times you could just schedule it with cron.
I'm not doing a graceful restart but rather a full restart when the CRL is updated. That may be because I investigated the issue at the time I set this up and found the graceful restart to be insufficient, or because I just wasn't sure if graceful restart will work. I *think* it's the former.
HTH -- Toomas Aas --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|