Is there a way to do a Dynamic CRL for Client SSL Certificates

[Leonid Belkind]

Guys,

We are setting up an internal communication between distributed components of our system using NGINX as a reverse-proxy.

In order to make sure that only authorized components are allowed to connect, we are using SSL Client Certificates.

Now we are implementing the scenarios where we could centrally revoke a certificate issued to such client entity, and it will be no longer accepted by the NGINX proxy.

It seems that the way to do it is by updating a CRL file. Our challenge is that our proxy is distributed - many instances of containerized proxy running in various locations. Is there a way to avoid performing a complex operation of copying the updated CRL file to all locations and issuing a configuration reload on all NGINX processes?

We tried looking into OCSP stapling, but it seems that NGINX only supports it for server certificates.

Any other ideas? Any 3rd party module, allowing to plug into the client certificate validation during SSL handshake and checking for revoked certificates "applicatively" with a central service?

Thank you in advance,

Leonid