How to create indirect CRL using openssl ca command
Michael Ströder
michael at stroeder.com
Thu Mar 10 19:17:21 UTC 2022
On 3/10/22 14:06, edr dr wrote:
> I would like to be able to automate the process of updating CRLs in
> order to be able to keep the CRL validity time short.
Understandable.
> At the same time, I do not want to store passwords used for
> certificate creation in cleartext anywhere.
It's a pity that there is not something like an OpenSSL key agent
(similar to ssh-agent) for interactively loading the CA's private key
into memory during service start.
> My current approach to achieve this is a separate CA only responsible for revocation.
> My understanding is that such a CA is called an "indirect CRL issuer"
Are you 100% sure all the software used by your relying participants is
capable of handling the X509v3 extensions involved?
In practice I saw software miserably fail validating such certs and
CRLs. Or also CAs failed to generate the certs and CRLs correctly. :-/
Ciao, Michael.
More information about the openssl-users
mailing list