On Tue, Nov 27, 2012 at 12:56:38PM -0500, Will Nordmeyer wrote: > My problem comes when I attempt to implement Certificate Revocation > List checking. The Government has a root certificate and about 20-30 > different intermediate certificate authorities that could have issued > the user certificate. I have loaded the root and intermediate > government certificate into my local truststore and am loading it > properly (based on the fact that the user certificates are recognized > and accepted). > > I have downloaded all the root certificate CRL data and each > individual CA's CRL data. Through the openssl commands, I converted > them to PEM and then copied them all into one file massive CRL. I > have also, for testing, created a file with the root CRL data and the > CRL data for the CA which issued my Certificate. > > When I run the complete CRL, I run out of memory (271 MB CRL). When I > run just the root & my CA, it doesn't run out of memory, but it also > doesn't trigger the PIN prompt (I assume the crl check happens before > the PIN is checked?), and just displays "Page cannot be displayed."
Just brainstorming: I wonder if there's some way to move that enormous CRL to an OCSP responder (which could manage its memory any way it likes) and just have Tomcat ask "is this one revoked?" I don't know if there's any way to get Tomcat to do that. I searched for "open source OCSP responder" and found some, so it shouldn't be too costly to put up your own if you have availability concerns. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu I don't do "doorbusters".
pgpLNCz9kvV07.pgp
Description: PGP signature
