Apache with mod_ssl has built-in support for using CRLs to validate certificates. Currently Apache does not include support for validation using OCSP. To configure mod_ssl to use CRLs, use the steps below.
Note: this setup assumes that the Certificate Authority (CA) publishes its CRL once a day, valid for a full week, in the local LDAP directory. In practice, CRL checking will depend heavily on the local policy, so the following is one example of how to implement CRL support.
# SSLCARevocationPath /usr/local/new-apache/conf/ssl.crl
Uncomment the line by removing the initial "#" character, and fix the path so that it points to the ssl.crl directory.
0 10 * * * /path/to/script/crl-from-ldap.pl --crl-base=/path/to/apache/conf/ssl.crl
Fix the "/path/to/script/" to point to the correct location. The script can live pretty much anywhere, just put it somewhere where it won't be overwritten by a new version of apache accidentally. Fix "/path/to/apache/conf/" to be the path that you put down for SSLCARevocationPath above.
Traditionally, installing crontab entries is done with by running "crontab -e", but your mileage may vary depending on which flavor of Unix you are using.Right now, the script will search the LDAP for a new version of the CRL file, and download it if it finds one newer to the one currently in the system. For now, we won't be deleting the old files. In the future, when we are confident that everything is working fine, we can add the "--purge-old-files" directive to the end of the cron line, and it will automatically delete the old CRL once it has a new one in place.
Here is the script: crl-from-ldap.pl
There's a lot of information near the bottom of the script, in perldoc format. This can be accessed by executing the script with the "--man" flag.
NEWS
Updated Aug 19, 2003: (version 0.9.7) The command used to restart apache can be specified with --restart-command=command. Setting this option implies --apache-restart.
Updated Jul 11, 2003: (version 0.9.6) Restart Apache by default after the CRL is updated. Can be disabled by passing --noapache-restart on the command line.
Dartmouth College PKI Lab
Last update: 30 June, 2003