Enable the CRL cache

When the gsk-crl-cache-size and gsk-crl-cache-entry-lifetime stanza entries are both set to "0" (default), CRL caching is disabled.

To enable the cache, change the setting for either or both of the gsk-crl-cache-size and gsk-crl-cache-entry-lifetime to a value other than zero. If both values are zero, the cache is disabled. The cache is enabled if one or both of these stanza entries has a non-zero value configured.

If either configuration entry has a value of 0 while the other is non-zero, GSKit automatically assigns a default value to the entry with the zero value. GSKit uses the following process:

• If gsk-crl-cache-entry-lifetime is configured with a non-zero value, but gsk-crl-cache-size is configured as 0 then the CRL cache is enabled. In this case, GSKit uses the following default value for the gsk-crl-cache-size:
  • gsk-crl-cache-size = 50
• If gsk-crl-cache-size is configured with a non-zero value, but gsk-crl-cache-entry-lifetime is configured as 0 then the CRL cache is enabled. In this case, GSKit uses the following default value for the gsk-crl-cache-entry-lifetime:
  • gsk-crl-cache-entry-lifetime = 43200

If the CDP in the certificate specifies an HTTP source for the CRL then WebSEAL does not use the gsk-crl-cache-size and gsk-crl-cache-entry-lifetime configuration settings. CRLs from HTTP sources are never cached. If OCSP is not an option and a large CRL must be read using HTTP, you can use the GSKit environment variable GSK_HTTP_CDP_MAX_RESPONSE_SIZE.