using ssl_crl with CRLs (plural)

Maxim Dounin mdounin at
Tue Apr 22 17:03:09 UTC 2014


On Tue, Apr 22, 2014 at 06:13:54PM +0200, Florian Le Goff wrote:

> Hi there,
> I am trying to setup a x509 client cert check with Nginx. Everything
> is running smoothly until I add the ssl_crl directive.
> Unfortunately, my CA happens to release its CRLs under several
> files... for historic reasons from what I heard.
> With Apache/mod_ssl; the SSLCARevocationFile directive sets a
> concatenated PEM-encoded CA CRLs, even if concatenated files are not
> fully compliant with the CRL logic.
> Is it something that might be setup with nginx ? The ability to setup
> a list of the individual files somewhere in the nginx configuration
> would be optimal.

Multiple PEM-encoded CRLs concatenated into a single file should 
work fine.  Note that both Apache/mod_ssl and nginx rely on 
OpenSSL to load CRL files, and handling is more or less identical.

Maxim Dounin

More information about the nginx mailing list