Nuno Ponte a écrit :
> Hi,
> We are running a CA that has thousands of revoked certificates,
> which leads to CRLs of several MBytes.
> On the next nenewal of the CA, we are thinking of partitioning the
> CRLs at each X number of issued certificates. The issued certificates
> will have different CRL Distribution Points (CDP) according to the
> partitions they are assigned.
> For example, for X=100, from certificate 1 to certificate 100, the
> CDP would be, from certificate 101
> to 200 the CDP would be, and so on.

CDP is embedded when creating certificate, so it might be possible
(client side).

Server side, you can stack as many crl as you want into either a single
file, or a directory (using hashing) and point to it into Apache.
But you may apply a patch for multiple identical DN handling.

Why didn't you implement OCSP into Apache ? (I
didn't test it anyway)

La Joconde ne sourit pas devant Chuck Norris.
Gilles CUESTA - Logiciels Libres

Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla -