Certificate Revocation List Backend Module

Read a certificate revocation list from a file on disk, and make the CRL available to any module that wants one.

What does it do?

Based on configuration providing the name of the certificate revocation list file on disk, the certificate revocation list is returned to the calling module as per RFC5280.

Module Integration

The mod_ca_crl module is a backend module and will not do anything useful until mod_ca_crl has been combined with one or more frontend modules listed below. The mod_ca_crl module uses the following hook to return the certificate revocation list, and suitable frontend modules must be configured to implement each protocol as needed.

All backend modules run within a standard Apache httpd request, and standard httpd functionality applies in all cases.

Certificate Revocation List Hook

This hook returns the certificate revocation list for the configured certificate authority.

This module provides the following implementations of this hook.

Get Certificate Revocation List From Disk Returns the certificate revocation list from a file on disk.

This hook is called by the following frontend modules.

mod_crl Generate and return a certificate revocation list as a response.

Certificate Status Hook

This hook returns the status of the certificate within the certificate revocation list for the configured certificate authority.

This module provides the following implementations of this hook.

Get Certificate Status From Disk Check the certificate status against the certificate sign request from disk.

This hook is called by the following frontend modules.

mod_ocsp Respond with the revocation status of a certificate.

Examples

Basic Example

The simplest case: return the certificate revocation list to anybody who wants one.


# backend configuration:
<IfModule mod_ca_crl.c>
  # return this crl
  CACRLCertificateRevocationList /etc/pki/tls/ca-crl.pem
</IfModule>

# frontend configuration:
<IfModule mod_crl.c>
  <Location /crl>
    SetHandler crl
  </Location>
</IfModule>

Hook Implementation Reference

The following hook implementations are provided by this module.

Get Certificate Revocation List From Disk

Returns the certificate revocation list from a file on disk.

Use the CACRLCertificateRevocationList Directive to enable this hook implementation and specify the CRL file.

The certificate revocation list is cached in memory, and to be updated, httpd needs to be gracefully restarted.

Get Certificate Status From Disk

Return the status of a specific certificate from the certificate revocation list from a file on disk.

Use the CACRLCertificateRevocationList Directive to enable this hook implementation and specify the CRL file.

The certificate revocation list is cached in memory, and to be updated, httpd needs to be gracefully restarted.

Directive Reference

CACRLCertificateRevocationList Directive

Description The max-age of the certificate revocation list will be divided by this factor.
Syntax CACRLCertificateRevocationList file
Default none
Context server config, virtual host, directory, .htaccess
Status Backend
Module mod_ca_crl
Compatibility Introduced in mod_ca 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the name of the file containing the certificate revocation list.

The file is loaded into memory on httpd startup, and a graceful restart is needed when updating the file to reload the file into the server.