[CentOS] Certificates Revocation Lists and Apache...

nate centos at linuxpowered.net
Wed Nov 4 15:40:41 UTC 2009

John Doe wrote:

>   [warn] Invalid signature on CRL
>   [error] Certificate Verification: Error (8): CRL signature failure

Any relation to this?

I've worked with a lot of ssl stuff in apache but have never
touched CRL before.

Interestingly enough I found last year that some of verisign's
CRLs weren't built to scale, one of our customers put some content
on their site that pointed back to us, which then triggered a call
to the CRL for those people using IE and Symantec anti virus(which
turned on the CRL option in IE), the site was a very high traffic
site and the customers routinely got errors from the CRL site
because it was overloaded with requests.

So few use CRL, I really don't see the benefit, but I suppose in
really controlled environments it could be useful(just not to me).


More information about the CentOS mailing list