Mats Nilsson wrote:
>
> Hi list.
Hallo Mats,
> Some philosophical questions:
>
> Should a self-signed root certificate ever need to be revoked, shall it
> list itself in its usual CRL(s), as the last thing it does before it is
> thrown away, or is it sufficient (from its users' standpoint) that it
> simply ceases to issue more CRLs?
Since the root certificate is at this time invalid,
you can't use it to sign the CTL...
You can generate a new root certificate and use it to
sign the new CRL which lists the old root certificate as revoked...
Every root cert needs an own serial number !
(but this is a wise decission anyway...)
By
Goetz
--
Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]