You are here

CRLs for client certificates must contain a CRL for each root and intermediate CA


If a CRL is configured, client certificates may be blocked, even if they are not listed in a CRL for a certain CA.


CRLs have to be configured for every root and intermediate CA involved. This is due to a policy change in the http listener Apache. Please see SSLCARevocationCheck in Apache documentation 2.4 for further details.

The following Apache expert setting on the virtual host restores previous behavior:

SSLCARevocationCheck chain no_crl_for_cert_ok

Please be aware to only set this expert settings on virtual hosts having a CRL configured.

Knowledge Base Categories: