We are running a CA that has thousands of revoked certificates,
which leads to CRLs of several MBytes.
On the next nenewal of the CA, we are thinking of partitioning the
CRLs at each X number of issued certificates. The issued certificates
will have different CRL Distribution Points (CDP) according to the
partitions they are assigned.
For example, for X=100, from certificate 1 to certificate 100, the
CDP would be [url]http://myca.com/crl/myca-0001.crl[/url], from certificate 101
to 200 the CDP would be [url]http://myca.com/crl/myca-0002.crl[/url], and so on.
My question: Is mod_ssl/openssl prepared to support partitioned
CRLs like the way described? In particular, if CRLs are cached,
mod_ssl must be able to merge several different partitions according
to the CDP to create a unified view over the revocation universe of a
Apache Interface to OpenSSL (mod_ssl) [url]www.modssl.org[/url]
User Support Mailing List [email]firstname.lastname@example.org[/email]
Automated List Manager [email]email@example.com[/email]