[Mod_nss-list] some questions regarding mod_nss and CRLs
Rob Crittenden
rcritten at redhat.com
Fri Aug 20 15:53:59 UTC 2010
Luis Neves wrote:
> Hi there,
>
> Can someone help me on this questions I have?
>
> How can I update a NSS crl list?, just running the same command Ive used
> to create the CRL list, but this time with a more recent CRL file is
> enought?
> for example, I've created the CRL database using
>
> crlutil -B -I -d /etc/httpd/alias/ -i ./LatestCRL.crl
>
> if I now download a more updated version of Latest.crl, its enought to
> use the same command to replace the existing list with the updated one?
>
I believe it will replace the old CRL.
> next question:
> after the above operation, is it necessary to restart Apache? (so it
> sees the most recent changes on the nss database?)
Yes, a restart is required. You might want to look at mod_revocator. It
is another Apache module that can be configured to automatically
retrieve CRLs and make them available to a running NSS database. The CRL
isn't installed into the database but made available over PKCS#11.
>
> and a final one:
>
> As you can see, Ive used the "B" option when importing the CRL, if not,
> I get some errors about the CA validation
> Now, to query the CRL DB list using the command
>
> crlutil -L -d /etc/httpd/alias/
>
> I get
>
> CRL names CRL Type
>
> crlutil: could not find signing certificate in database: security
> library: bad database.
> CN=BT/DigitalSign Qualified CA,OU=Class 2 Managed PKI Individual
> Subscriber CA,OU=Terms of use at https://www.trustwise.com/rpa
> (c)08,OU=VeriSign Trust Network,OU=LRA - DigitalSign Certificadora
> Digital (PT507015851),O=British Telecommunications plc,C=GB CRL
>
> Can I ignore this crutil error? is my database bad? can this DB still be
> used?
Looks like you need to add the CA that is signing the CRL to your NSS
database.
rob
More information about the Mod_nss-list
mailing list