X.509 allows for a self-signed certificate dedicated to CRL signing
(with the same name, of course). But that's not acceptable for RFC5280.
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable for
RFC5280, but you'll have to check with your clients. And find a way to
distribute this certificate.
--
Erwann ABALEA
Le 15/03/2013 15:53, Sven Dreyer a écrit :
Hi List,
I would like to setup an OpenSSL-based offline Root CA.
Certificates issued by this Root CA contain a CDP.
I would like to issue CRLs every 3 days, which would mean that I would
have to take the offline Root CA online each 3 days.
Is there a way to let the Root CA issue a "CRL signer certificate",
which can then run on a different machine for CRL signature?
For OCSP it seems to be possbile (RFC2560, 2.6 - "OCSP Signature
Authority Delegation"). Does anybody know whether it's possible for
CRL's using OpenSSL?
Thanks for any advice,
Sven
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
