Le 15/03/2013 17:01, Sven Dreyer a écrit :
Hi Erwann,
Am 15.03.2013 16:16, schrieb Erwann Abalea:
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable
for RFC5280, but you'll have to check with your clients. And find a
way to distribute this certificate.
I'm not sure whether I got it right.
My Root CA is named "Foobar Root CA" with keypair (A).
I would then let "Foobar Root CA" issue a certificate for "Foobar Root
CA" with keypair (B) and attribute "keyUsage = cRLSign".
I would then use the certificate for keypair (B) to sign the CRL.
Then, I would distribute the certificates for "Foobar Root CA" (A) and
"Foobar Root CA" (B) to my clients' trusted CA stores.
Is this the way you pointed me to?
Yes. That's one possible solution (possible from a PKI point of view).
Another solution would be to play with indirect CRLs. That involves
issuing a certificate (with a different name, for example "Foobar CRL
Signer") dedicated to CRL signing, specifying its name in the
CRLDistributionPoints of your issued certificates, and sign the CRL with
this certificate+private key (Foobar CRL Signer). That CRL must have a
critical IssuingDistributionPoint extension with the indirectCRL set to
true, and at least the first revocation entry must have an extension
indicating its issuer name (Foobar Root CA). "Foobar CRL Signer" may be
issued under a completely different trust chain.
I don't know how well this second solution is supported by clients, and
I suppose that the "Foobar CRL Signer" certificate should itself have a
CRLDP extension pointing to a valid CRL, etc.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
