read my post: http://www.mail-archive.com/openssl-users@openssl.org/msg63740.html
On 11-05-02 06:50 AM, Viliam Ďurina wrote: > Hello, > > I'm doing my own CA with openssl and want to regularly generate CRLs. > We plan limited use of the CA (say 1-2 certificates per year), so the > CA private key is stored in a safe on a USB stick until it is used > next time. But, as far as I know, we will need it to generate CRL > quite often. I see two possible solutions: > > 1. be able to sign the CRL with another key, signed with that CA: is > this possible? > > 2. generate the CRL with very long validity (say 1 year) and > regenerate a new one when needed: isn't this breaking some PKI rules > or common practices? > > Thanks, > Viliam > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org