Hi Erwann,
Am 15.03.2013 17:36, schrieb Erwann Abalea:
Yes. That's one possible solution (possible from a PKI point of view).
Another solution would be to play with indirect CRLs. That involves
Thank you very much for your explanations, I will try these scenarios.
Thanks, Sven
_
Le 15/03/2013 17:01, Sven Dreyer a écrit :
Hi Erwann,
Am 15.03.2013 16:16, schrieb Erwann Abalea:
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable
for RFC5280, but you'll have to check with your clients. And f
Hi Erwann,
Am 15.03.2013 16:16, schrieb Erwann Abalea:
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable
for RFC5280, but you'll have to check with your clients. And find a
way to distribute this certificate.
X.509 allows for a self-signed certificate dedicated to CRL signing
(with the same name, of course). But that's not acceptable for RFC5280.
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable for
RFC5280, but yo
