Issue #568
CRL
Affected version:
5.1.2
Resolution:
No feedback
Description
Hello, we are currently having problems dynamically updating the CRL list. Once we revoke a cert, is there a way for that change to be immediate? Presently we need to restart IPSEC for the changes to occur.
Thanks for any assistance
History
#1 Updated by Andreas Steffen about 8 years ago
- Status changed from New to Feedback
- Assignee set to Andreas Steffen
Hi Jim,
the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information on the certificate status.
Andreas
#2 Updated by Tobias Brunner about 7 years ago
- Status changed from Feedback to Closed
- Resolution set to No feedback