[Dovecot] how to handle CA CRL updates with client certificate verification context ?

Raphael PRECIGOUT raphael.precigout at karinet.com
Fri Mar 13 03:55:04 EET 2009


Hello,

As far as I can read in the Dovecot SSL configuration wiki page, each CA 
cert must be followed by the related CA CRL in the client certificate 
verification context ("ssl_ca_file" setting). In my company we do have 
our own PKI and as soon as Client certificate is compromised we do 
revoke it and update the related CA's CRL.
Does that mean that I have to issue a new "ssl_ca_file" file as soon as 
our issuing CA CRL is updated ? If yes, does someone has an idea on how 
to do so ? Is it then necessary to restart dovecot process (to take the 
"ssl_ca_file" file changes into account) ?
Does Dovecot have a way to check the issuing CA CRL automatically ? (the 
CRL is published in DER format and is accessible though http, the URI is 
mentionned in the CRL Distribution points of the CA certificate)

Thanks in advance for your help.
Regards,
Raphael


More information about the dovecot mailing list