Certificate Revocation List updates with mod_nss and NSS softoken with no fork-after-init

Solution Verified - Updated -

Issue

When doing client authentication using digital certificates against an Apache server configured with the mod_revocator and mod_nss plugins, a httpd restart is required in order to successfully import an updated Certificate Revocation List (CRL).

In some cases, Online Certificate Status Protocol (OCSP) is not used, and downloading updated CRLs with client authentication can be seen as a complement or replacement (this could be referred as "Dynamic CRL Loading").

Environment

  • Red Hat Enterprise Linux 5 x86_64
  • Red Hat Directory Server 8.1 (example with redhat-ds-base-8.1.1-1.el5dsrv)

  • Red Hat Certificate System 8.0 (example with pki-ca-8.0.6-1.el5pki)

  • Apache web server (example with httpd-2.2.3-31.el5)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In