Generically speaking this IS an allowed configuration according to the RFC - and it is recommended that the CRL signer be issued off the CA for which it is signing CRLs. But whether OpenCA supports this, I will leave that to the experts... -Scott
Diego de Felice wrote: > I think this is not so correct. When you verify the validity of an > X509 certificate, you download the CRL specified in the CDP extension > and you must verify that the CRL is signed by the same CA certificate > that issued the certificate (through the authorityKeyIndentifier > extension). If you sign the CRL with another key, this ckeck will fail > in third party software. > > Of course you can force this in OpenCA by modifying the Perl code :-) > > > On 9/8/07, John Zornig <[EMAIL PROTECTED]> wrote: > >> Is it possible in Open CA to configure a CRL Issuer or Revocation Authority >> which can be online and issuing regular CRLs for an offline CA? >> >> i.e. the CRLs would be signed by a CRL Issuer key rather than the CA key. >> >> I can't find any mention of this in the doco. >> >> > > -- Scott Rea Director, HEBCA|USHER Operating Authority Dartmouth Senior PKI Architect Peter Kiewit Computing Services Dartmouth College HB 6238, #058 Sudikoff Hanover, NH 03755 Em: [EMAIL PROTECTED] Ph#(603) 646-0968 Ot#(603) 646-9181 Ce#(603) 252-7339 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
