Goetz Babin-Ebell wrote:
> > Should a self-signed root certificate ever need to be revoked, shall it
> > list itself in its usual CRL(s), as the last thing it does before it is
> > thrown away, or is it sufficient (from its users' standpoint) that it
> > simply ceases to issue more CRLs?
>
> Since the root certificate is at this time invalid,
> you can't use it to sign the CTL...
Then sign a CRL with a revocation date in future with regard to the CRL
signing date.
I don't beliveve anything stop a CA from announcing it will revoque a
certificate _before_ it does it.
I don't know if the client will like it.
Technically speaking the emitter of the root cert is the root cert itself,
therefore it is entitled to revoke itself.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
