Hi Erwann,
Am 15.03.2013 17:36, schrieb Erwann Abalea:
Yes. That's one possible solution (possible from a PKI point of view).
Another solution would be to play with indirect CRLs. That involves
Thank you very much for your explanations, I will try these scenarios.
Thanks, Sven
_
Le 15/03/2013 17:01, Sven Dreyer a écrit :
Hi Erwann,
Am 15.03.2013 16:16, schrieb Erwann Abalea:
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable
for RFC5280, but you'll have to check with your clients. And f
Hi Erwann,
Am 15.03.2013 16:16, schrieb Erwann Abalea:
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable
for RFC5280, but you'll have to check with your clients. And find a
way to distribute this certificate.
X.509 allows for a self-signed certificate dedicated to CRL signing
(with the same name, of course). But that's not acceptable for RFC5280.
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable for
RFC5280, but yo
Hi Matthew,
Am 15.03.2013 16:03, schrieb Matthew Hall:
Read about the cRLSign KeyUsage bit. This is how it is usually
handled.
I already let the Root CA issue a certificate with "keyUsage = cRLSign"
and used that certificate to sign the CRL, but my colleague's Windows
machine refused to acce
Hi List,
I would like to setup an OpenSSL-based offline Root CA.
Certificates issued by this Root CA contain a CDP.
I would like to issue CRLs every 3 days, which would mean that I would
have to take the offline Root CA online each 3 days.
Is there a way to let the Root CA issue a "CRL signe
