Hi, While Japanese ApplicationCA2 Root has been rejected as a Root CA  and is no longer in operation , I become aware of CRL endpoint of both the CA and at least one of sub-CA is unavailable.
a sub-CA: https://crt.sh/?id=9341006 leaf certificate issued from the sub-CA: https://crt.sh/?id=524524172 (you can browse all issued certificates from the sub-CA with https://crt.sh/?Identity=%25&iCAID=1419) Both of them was revoked but CRL endpoint is unavailable now with HTTP 404 error response. OCSP also fails. Is it OK to abandon CRL for the decommissioned CA even if there are still unexpired certificates? The certificates was revoked but we have no way to validate it in a PKI-ish manner... Sorry if it is off-topic because the CA has never been approved as Root CA by Mozilla.  https://bugzilla.mozilla.org/show_bug.cgi?id=870185  https://www.gpki.go.jp/apca2/ (only in Japanese) Sincerely, -- Nenyotoso _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy