Hi Gilles, Thanks for your reply! :-)
The CA also offers OCSP, which is obviously the preferred way to validate certificate status. I am just trying to make sure that there is support from the "applications world" to such a CRL partitioning scheme. Wide interoperability is a key goal. Regards, Nuno Ponte On Tue, Oct 21, 2008 at 11:04 AM, Cuesta Gilles <[EMAIL PROTECTED]> wrote: > Nuno Ponte a écrit : >> Hi, >> >> We are running a CA that has thousands of revoked certificates, >> which leads to CRLs of several MBytes. >> >> On the next nenewal of the CA, we are thinking of partitioning the >> CRLs at each X number of issued certificates. The issued certificates >> will have different CRL Distribution Points (CDP) according to the >> partitions they are assigned. >> >> For example, for X=100, from certificate 1 to certificate 100, the >> CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101 >> to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on. >> > CDP is embedded when creating certificate, so it might be possible > (client side). > > Server side, you can stack as many crl as you want into either a single > file, or a directory (using hashing) and point to it into Apache. > But you may apply a patch for multiple identical DN handling. > http://marc.info/?l=apache-httpd-dev&m=120350484626015&q=p3 > > Why didn't you implement OCSP into Apache ? > http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch (I > didn't test it anyway) > > -- > La Joconde ne sourit pas devant Chuck Norris. > Gilles CUESTA - Logiciels Libres > 69139920 > > > ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]