Hi Erwann,
Am 15.03.2013 16:16, schrieb Erwann Abalea:
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable
for RFC5280, but you'll have to check with your clients. And find a
way to distribute this certificate.
I'm not sure whether I got it right.
My Root CA is named "Foobar Root CA" with keypair (A).
I would then let "Foobar Root CA" issue a certificate for "Foobar Root
CA" with keypair (B) and attribute "keyUsage = cRLSign".
I would then use the certificate for keypair (B) to sign the CRL.
Then, I would distribute the certificates for "Foobar Root CA" (A) and
"Foobar Root CA" (B) to my clients' trusted CA stores.
Is this the way you pointed me to?
Thanks,
Sven
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
