Efficient CRL checking at Nginx

sandeepkolla99 nginx-forum at nginx.us
Mon Dec 15 19:48:03 UTC 2014

   I want to check the validity of a client certificate against CRL. So, I
have defined in nginx.cong as follows
        listen       80;  
        listen 443 ssl;
        server_name localhost;
       ssl_certificate serverCert.pem;
       ssl_certificate_key serverKey.key;
       ssl_client_certificate RootCA.pem;
       ssl_verify_client on;
       ssl_verify_depth 2;
       ssl_crl CrlFile.pem;

If I write my nginx.conf as follows, It works fine. My application is
expected to process a huge number of requests everyday and for each
time(request) client certificate validity is checked against CrlFile.pem
(specified at ssl_crl).  1. Does it effect servers response time because
each time it has to open and read CrlFile.pem?. 
        My CrlFile.pem will be updated once a day as per my requirement. So,
2. Is there any caching mechanism performed by Nginx to cache CrlFile.pem
because It has a new copy only once a day?. 
                3. Could you please help me in figuring out the best
practice for validating client certificate against CRL.


Posted at Nginx Forum: http://forum.nginx.org/read.php?2,255509,255509#msg-255509

More information about the nginx mailing list