I'm trying to figure out how to update a CRL without restarting the
server. It looks like get_cert_by_subject() wants to see all the
successively generated CRLs for a CA. In other words, it wants to see
something like 12345.r0, 12345.r1 etc.
So I start the server with 12345.r0 in my certificate
I'd like to aperiodically update my CRL. Is there a way that I can tell
the x509 store to flush a CRL from it's cache, so that it reloads the
CRL on the next connection?
If the CRL is reloaded, is there a way to examine existing connections
to see if their certificate has been revoked?
Thanks
I'm trying to use CRLs but my server is not rejecting certificates that
are (supposed to be) in my CRL. I'd appreciate any advice that people
might have.
The Questions:
--
1) Is there any way to validate what's in a CRL? Something akin to
openssl x509 -text, for CRLs would be awesom
I'm using client certificate verification via
SSL_CTX_set_client_CA_list() and SSL_CTX_load_verify_locations(). I'd
like to add CRLs. The only way that I've found to do this is to call:
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK