Certification Revocation lists and tomcat.

[John Weaver <in...@gmail.com>]

Hi there,

I have tomcat 5.5 running under windows 2003.

I'm using the APR.

I set up a vm to test my set up - and got it working successfully.

the setup / plan.

tomcat 5.5 forcing SSL/TLS when pointed at a particular url pattern (working
fine)

requiring a valid certificate from the client before establishing the secure
session (working fine)

when a client certificate is revoked it needs to recognise this within a
reasonable period of time, (worked fine originally but no longer.)

 am using the windows 2003 CA to issue the client certificates, I also
issued the server certificate using the same CA.

the vm I set up originally worked great, I could revoke a certificate then
connect back with using the browser using that certificate, and it would
detect that the certificate was now revoked and block access within what was
effectively real time.


now however it won't pick up the certificates that have been revoked until
the engine is restarted.

does anyone know what setting I've missed or configuration option is wrong
here? why would it only be picking up the changes to the CRL when the engine
gets started (or stopped then started again)

failing that, is there a configuration option within tomcat / openssl where
I can tell it how regularly to refresh CRL subscriptions? (i have looked and
googled and cannot find it)

any help at all greatly appreciated.

cheers

John.