Certificate Revocation List updates with mod_nss and NSS softoken with no fork-after-init

Solution Verified - Updated -


When doing client authentication using digital certificates against an Apache server configured with the mod_revocator and mod_nss plugins, a httpd restart is required in order to successfully import an updated Certificate Revocation List (CRL).

In some cases, Online Certificate Status Protocol (OCSP) is not used, and downloading updated CRLs with client authentication can be seen as a complement or replacement (this could be referred as "Dynamic CRL Loading").


  • Red Hat Enterprise Linux 5 x86_64
  • Red Hat Directory Server 8.1 (example with redhat-ds-base-8.1.1-1.el5dsrv)

  • Red Hat Certificate System 8.0 (example with pki-ca-8.0.6-1.el5pki)

  • Apache web server (example with httpd-2.2.3-31.el5)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content