Alvaro Herrera wrote: > Andrej Podzimek wrote: > > > "The files server.key, server.crt, root.crt, and root.crl are only > > examined during server start; so you must restart the server for > > changes in them to take effect." > > (http://www.postgresql.org/docs/8.3/static/ssl-tcp.html) > > > > This is perfectly fine for server.key, server.crt and root.crt. These > > files change quite rarely. However, root.crl usually chages once a > > month (which is the default in OpenSSL) or even more often when > > necessary. > > I think the right solution here is to reload the CRL file on SIGHUP > (reload). Whoever changes the CRL file should send a signal. > > I've had that on my TODO list for a while. Added to TODO: Allow SSL CRL files to be re-read during configuration file reload, rather than requiring a server restart Unlike SSL CRT files, CRL (Certificate Revocation List) files are updated frequently * http://archives.postgresql.org/pgsql-general/2008-12/msg00832.php -- Bruce Momjian <bruce@xxxxxxxxxx> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. + -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
