When configuring PAM to use a new SSL certificate issued by a third party Certification Authority, it is currently mandatory to import CRLs for any CA certificates that are in the chain of the PAM SSL certificate.
However, the CRLs typically expire after about a week, and are no longer used by PAM once the new SSL certificate is in place.
My idea is to make it so that CRL import is not required when configuring a server-side SSL certificate on PAM.
CRL import (or OCSP) should only be required if client-side certificate authentication (e.g. PKI Smartcards) is being used.