This question may be better asked in the NSS mailing list. Feel free to let me know if that is the case.
I'm building a service based around OpenLDAP and SASL EXTERNAL authentication using client certificates. One of requirements is that we have the ability to revoke client certificates. I've found that the only way to revoke a client certificate using an NSS-linked OpenLDAP (RHEL's default 2.4.23) is to:
- Revoke the certificate - Import the CRL into the db referenced by olcTLSCACertificatePath - restart slapd
Is there a way to update the CRL without restarting slapd? And is there any way to make slapd request the URL referenced in the client cert's nsCaRevocationUrl attribute? If the answer to this is "use OpenSSL", that's a fine answer.
Regards, David