On 3/10/22 14:06, edr dr wrote:
I would like to be able to automate the process of updating CRLs in
order to be able to keep the CRL validity time short.
Understandable.

At the same time, I do not want to store passwords used for
certificate creation in cleartext anywhere.
It's a pity that there is not something like an OpenSSL key agent (similar to ssh-agent) for interactively loading the CA's private key into memory during service start.

My current approach to achieve this is a separate CA only responsible for 
revocation.
My understanding is that such a CA is called an "indirect CRL issuer"

Are you 100% sure all the software used by your relying participants is capable of handling the X509v3 extensions involved?

In practice I saw software miserably fail validating such certs and CRLs. Or also CAs failed to generate the certs and CRLs correctly. :-/

Ciao, Michael.

Reply via email to