7

I'm running a MongoDB replica set with TLS/SSL. I'm also using a CRL to block revoked certificates for clients. Relevant configuration of a replica set member follows.

net:
    ssl:
        mode: requireSSL
        PEMKeyFile: /opt/member.pem
        clusterFile: /opt/member.pem
        CAFile: /opt/ca.pem
        CRLFile: /opt/crl.pem

security:
    clusterAuthMode: x509

My question is: do I need to restart the mongod process each time I update the CRL file on disk?

Stennie
  • 1,270
  • 7
  • 13
Rafa Viotti
  • 174
  • 10

1 Answers1

1

As at MongoDB 3.4, the CRL file is not reloaded after initial MongoDB startup.

If you are actively making changes to the CRL file you will need to restart the mongod process(es) to ensure any changes take effect.

Stennie
  • 1,270
  • 7
  • 13
  • Thanks Stennie. I was using a CRL with a short lifespan as recommended by X.509 tutorials, so that became a concern. I reverted to using a CRL with longer validity since I have control over the entire replica set and I can issue a new CRL whenever I need to revoke a certificate, and do a rolling restart only in that situation. So this isn't much of a issue, actually. – Rafa Viotti Dec 05 '16 at 00:25