Thanks very much for the hints. Finally, I decided to generate CRL for three
years and replace it, when something needs to be revoked, if ever. I think the
support is not good. We will have to distribute the CRL issuer certificate to
partner applications to be able to verify the CRL signature. And generally, the
support and knowledge about indirect crl is low among developers...
Viliam
On 2.5.2011 14:00, Eisenacher, Patrick wrote:
Hi Villiam,
-----Original Message-----
From: Viliam Durina
Sent: Monday, May 02, 2011 12:50 PM
To: openssl-users> Subject: Possibility to create CRL without the CA key
Hello,
I'm doing my own CA with openssl and want to regularly
generate CRLs. We plan limited use of the CA (say 1-2
certificates per year), so the CA private key is stored in a
safe on a USB stick until it is used next time. But, as far
as I know, we will need it to generate CRL quite often. I see
two possible solutions:
1. be able to sign the CRL with another key, signed with that
CA: is this possible?
2. generate the CRL with very long validity (say 1 year) and
regenerate a new one when needed: isn't this breaking some
PKI rules or common practices?
A CA can delegate the issuance of CRLs to a CRL issuer by issuing that instance a
certifiate with the key usage cRLSign. You can read up the details on that in RFC5280,
chapter "CRL and CRL Extensions Profile".
HTH
Patrick Eisenacher
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
