A self-signed CA certificate (technically, a "trust anchor") cannot be revoked via CRL. This is assumed to be a function of the higher-layer security infrastructure which led to the trust anchor being trusted in the first place, and is outside the scope of CRL.
-Kyle H On Mon, Jan 26, 2009 at 9:17 PM, PS <mytechl...@gmail.com> wrote: > Hi All, > Is it possible to revoke a self-signed CA certificate? > > If yes, then I dont understand why it should be allowed. It does not make > sense. The only reason a root CA would want to revoke its own certificate is > if its private-key might have been compromised. So, the CA would want to > revoke its certificate and create a new CRL. > But since the private-key is compromised, the attacker can always use the > private-key (of the CA), and create a yet new CRL and distribute. > > This looks like a chicken and egg problem because you are trusting a > CRL-list sent by a CA and the CRL mentions not to trust the very same CA > since its certificate is revoked. What is the solution to this problem? Any > insights? > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
