Re: CRL question

joakim@comex.se wrote:

I’m using Openldap with TLS and CRL. My slapd.conf file has the line “TLSCRLCheck all”.

Are you using client certificates for authentication?

When the CRL has expired the client is not allowed to make a TLS connection.

Well, that's how a relying party in a X.509 PKI is supposed to act. The the CRL is expired a cert cannot be used (trusted).

My question is whether it is possible to configure openldap to let the client connect to the server (possibly with a warning) even when the CRL has expired.

Don't use CRL checking if you don't want it have an effect. Simply like that.

Ciao, Michael.