Revoked certificate does not create a new CRL

fm4dd / webcert

WebCert is a Web application to generate and manage digital certificates in cases where no "full" CA is needed.

http://webcert.fm4dd.com

MIT License

28 stars 13 forks source link

Revoked certificate does not create a new CRL #2

Closed fm4dd closed 2 years ago

fm4dd commented 2 years ago

A fresh revoked certificate does not create a new CRL at the time of revocation. The 3-month periodic CRL update (crontab entry) will add all revoked certs to the updated crl.

As a workaround, manual execution of the crontab command successfully adds all "waiting" revoked certs.

fm4dd commented 2 years ago

A improved workaround script "update-crl.sh" has been created, which is daily triggered through cron. It checks if a new revocation happened that requires the refresh of the CRL, and publishes the new CRL if needed. New revocations can now become public with several hours delay. A higher cron frequency could shorten the time gap. Eventually, a new CRL creation should be triggered directly from the revocation itself, but the current asynchronous batch mode is a decent compromise.