Mats Nilsson wrote:
> 
> Hi list.
Hallo Mats,

> Some philosophical questions:
> 
> Should a self-signed root certificate ever need to be revoked, shall it
> list itself in its usual CRL(s), as the last thing it does before it is
> thrown away, or is it sufficient (from its users' standpoint) that it
> simply ceases to issue more CRLs?

Since the root certificate is at this time invalid,
you can't use it to sign the CTL...


You can generate a new root certificate and use it to
sign the new CRL which lists the old root certificate as revoked...

Every root cert needs an own serial number !
(but this is a wise decission anyway...)

By

Goetz

-- 
Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to