Hello, we are currently having problems dynamically updating the CRL list. Once we revoke a cert, is there a way for that change to be immediate? Presently we need to restart IPSEC for the changes to occur.
Thanks for any assistance
#1 Updated by Andreas Steffen almost 6 years ago
- Status changed from New to Feedback
- Assignee set to Andreas Steffen
the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information on the certificate status.