Alvaro Herrera wrote:
> Andrej Podzimek wrote:
>
> > "The files server.key, server.crt, root.crt, and root.crl are only
> > examined during server start; so you must restart the server for
> > changes in them to take effect."
> > (http://www.postgresql.org/docs/8.3/static/ssl-tcp.html)
> >
> > This is perfectly fine for server.key, server.crt and root.crt. These
> > files change quite rarely. However, root.crl usually chages once a
> > month (which is the default in OpenSSL) or even more often when
> > necessary.
>
> I think the right solution here is to reload the CRL file on SIGHUP
> (reload). Whoever changes the CRL file should send a signal.
>
> I've had that on my TODO list for a while.
Added to TODO:
Allow SSL CRL files to be re-read during configuration file reload,
rather than requiring a server restart
Unlike SSL CRT files, CRL (Certificate Revocation List) files are
updated frequently
* http://archives.postgresql.org/pgsql-general/2008-12/msg00832.php
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +