Nginx – How to reload Certificate Revocation List (CRL) in nginx

crlnginxssl

I have set CRL file in nginx with ssl_crl directive:

ssl_crl /mypath/crl.pem

However, I noticed that adding or removing revoked certificates from crl.pem apply only when I restart or reload nginx server.

What is best practice for this? Reloading nginx configuration when crl.pem changes or something else?

Best Answer

Just reload nginx when you make any changes to the file. This will cause it to re-read the files without interrupting any existing connections or needing to restart. For example (RHEL/CentOS):

service nginx reload

Related Solutions

Windows – Reset local Certificate Revocation List (CRL) manual

Nginx – How to dynamically reload nginx config

If you can't use a post-receive hook, perhaps you can use inotify to watch for changes in the nginx configuration.

In this case, you would use incrond and incrontab to set up a watch on specified files and actions to take when those files change. Something like this in the incrontab:

/etc/nginx/nginx.conf IN_MODIFY /etc/init.d/nginx reload

Here's the man page for incrontab. You should be able to find other documentation and examples for using the inotify toolset that will fit your configuration.

Best Answer

Related Solutions

Windows – Reset local Certificate Revocation List (CRL) manual

Nginx – How to dynamically reload nginx config

Related Topic