Hi Villiam, > -----Original Message----- > From: Viliam Durina > Sent: Monday, May 02, 2011 12:50 PM > To: openssl-users> Subject: Possibility to create CRL without the CA key
> > Hello, > > I'm doing my own CA with openssl and want to regularly > generate CRLs. We plan limited use of the CA (say 1-2 > certificates per year), so the CA private key is stored in a > safe on a USB stick until it is used next time. But, as far > as I know, we will need it to generate CRL quite often. I see > two possible solutions: > > 1. be able to sign the CRL with another key, signed with that > CA: is this possible? > > 2. generate the CRL with very long validity (say 1 year) and > regenerate a new one when needed: isn't this breaking some > PKI rules or common practices? A CA can delegate the issuance of CRLs to a CRL issuer by issuing that instance a certifiate with the key usage cRLSign. You can read up the details on that in RFC5280, chapter "CRL and CRL Extensions Profile". HTH Patrick Eisenacher ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
