- First time I have seen a Dto object in the code base. What caused us to need it? - Who calls the ctor on CertificateRevocationListTask? How does the parameters get set? - Reading in the entire CRL into memory scares me :) If we assume a serial number is a long of average length stored as a string, then it is 10 bytes. Add another 18 bytes for the time stamp as a string, and then you get 28 bytes per entry. A million entitlements would get us roughly a 26 meg file. Is there a way to stream this? Perhaps read in each record from the CRL and the process it into the new file? - Related to this, lets turn down the logging :) - The logic for deleting the old certificates is to delete those that expired yesterday certs. Are there any rules about how long a cert needs to be in a CRL? - Does the CRL need to be signed? - Have we tried loading the CRL into apache or an ocspd daemon to see it will work?
-- bk