Andrej Podzimek wrote:
> "The files server.key, server.crt, root.crt, and root.crl are only
> examined during server start; so you must restart the server for
> changes in them to take effect."
> (http://www.postgresql.org/docs/8.3/static/ssl-tcp.html)
>
> This is perfectly fine for server.key, server.crt and root.crt. These
> files change quite rarely. However, root.crl usually chages once a
> month (which is the default in OpenSSL) or even more often when
> necessary.
I think the right solution here is to reload the CRL file on SIGHUP
(reload). Whoever changes the CRL file should send a signal.
I've had that on my TODO list for a while.
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.