Project

General

Profile

Issue #568

CRL

Added by Jim Smith almost 6 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Category:
-
Affected version:
5.1.2
Resolution:
No feedback

Description

Hello, we are currently having problems dynamically updating the CRL list. Once we revoke a cert, is there a way for that change to be immediate? Presently we need to restart IPSEC for the changes to occur.

Thanks for any assistance

History

#1 Updated by Andreas Steffen almost 6 years ago

  • Status changed from New to Feedback
  • Assignee set to Andreas Steffen

Hi Jim,

the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information on the certificate status.

Andreas

#2 Updated by Tobias Brunner over 4 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No feedback

Also available in: Atom PDF