The objective is to check for certificate revocation using CRL, directly and simply distributed by the PKI without making any script (preprocessing of the CRL and another for revocation checking). So i understand that it is not so simple (except with OCSP) Thank you. 2014-10-29 17:16 GMT+01:00 Arran Cudbard-Bell <a.cudbardb@freeradius.org>:
On 29 Oct 2014, at 11:25, Alan DeKok <aland@deployingradius.com> wrote:
vincent viard wrote:
I just want to know if the following statement is always true:
"You will still need to restart FreeRADIUS after downloading a new CRL"
OpenSSL doesn't allow for the dynamic reloading of CRLs.
If your CRLs change often, use OCSP.
Or perform validation using the exposed cert fields. There's no reason why you couldn't use an SQL or LDAP directory to check certificate validity.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html