Hello, I'm doing my own CA with openssl and want to regularly generate CRLs. We plan limited use of the CA (say 1-2 certificates per year), so the CA private key is stored in a safe on a USB stick until it is used next time. But, as far as I know, we will need it to generate CRL quite often. I see two possible solutions:
1. be able to sign the CRL with another key, signed with that CA: is this possible? 2. generate the CRL with very long validity (say 1 year) and regenerate a new one when needed: isn't this breaking some PKI rules or common practices? Thanks, Viliam ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org