On 17 Apr 2012, at 2:04 PM, Nathan Smyth wrote: >> If the apps only need to be able to verify certificates issued by that CA, >> then all they need is a copy of the CA's certificate and to know that that >> certificate should be used as a trust root. (And, perhaps, access to a CRL >> or something if you want to be able to revoke certificates before they >> expire.) This is the normal way that a small CA operates. > > Thanks for that. So in summary - each of the 'remote' machines should have a > copy of the CAs cert, and periodically pull down the CRL... ?
Yes --- well, I've never set up CRL distribution (or OCSP) for my local CAs but that's my understanding, yes. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org