> Should the certificate that signs the CRL be the same cert that signs the
> end-entity's certificates?
It can be, yes. In many cases it is.
> or Can any other certificate(ie., authorised to do so) can sign the CRL?
Yes, the CA can sign another cert that gives it the authority.
There are various extensions, or the CA can sign a cert with the same
DN. (That's what the baltimore CA's do.)
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
