Actually, I had the same questions.
Is this something that’s available by now, or is it in the pipeline of
new release of Nginx or will it never be?
I’m just asking since I believe this might be a good feature to add
CRL’s could get very big when lots of certificate have been revoked, and
since it is not a realtime updating mechanism.
By using a OCSP, there is a little overhead of contacting the OCSP for
checking each client certificate that is being validated…
I believe this to be much more efficient than regularly
downloading/uploading a CRL and reloading Nginx. This process can fail
multiple locations which makes it harder to track and a big disadvantage
the CRL’s is that they are not realtime updated, which is the case for
This way revoking a certificate will cause it to immediately retract the
access to client certificate secured applications (for all new
Is it already supported in some version of Nginx or is it planned
in the future?
Posted at Nginx Forum: