Index: tl-ldap-certalias
===================================================================
--- tl-ldap-certalias	(revision 27175)
+++ tl-ldap-certalias	(working copy)
@@ -636,23 +636,28 @@
     # implement OCSP support.
     #
 
+    crl = None
     for uri in cert["crl"]:
+
+        # for now we only support http distribution points
         if not uri.startswith("http"):
             continue
 
         crl = find_crl(uri)
-        if crl is None:
-            return (False, "Unable to retrieve CRL at %s" % uri)
+        if crl is not None:
+            break
 
-        if crl["serials"].has_key(cert["serial"]):
-            vprint("Certificate revoked by CRL list at %s" % uri)
-            return (False, "Certificate has been revoked by CA")
+        # failed to get CRL, lets try next distribution point
+        vprint("Failed to download CRL list at %s, trying next distribution point" % uri)
+        
+    # check if certificate is revoked
+    if crl is not None and crl["serials"].has_key(cert["serial"]):
+        vprint("Certificate revoked by CRL list at %s" % uri)
+        return (False, "Certificate has been revoked by CA")
 
-    # We've passed expiration/validation dates, CA verification, CRL
-    # checks. It's OK.
-
     return (True, "Certificate OK")
 
+
 def usage():
     print "Usage: tl-ldap-certalias [options]"
     print "Options:"