Aw: RE: How to create indirect CRL using openssl ca command

edr e-d-r at gmx.de
Fri Mar 11 10:59:29 UTC 2022


On 10.03.2022 20:17, Michael Ströder via openssl-users wrote:
> 
> Are you 100% sure all the software used by your relying participants is
> capable of handling the X509v3 extensions involved?
> 
> In practice I saw software miserably fail validating such certs and CRLs. Or
> also CAs failed to generate the certs and CRLs correctly. :-/
>  
 
That is a very good point you are making - thank you for this input.


On 10.03.2022 20:27, Michael Wojcik wrote:
> Personally, I'd be leery of using openssl ca for anything other than dev/test purposes, in which case frequent CRL generation seems unlikely to be a requirement. AIUI, openssl ca isn't really intended for production use.

I did see the RESTRICTIONS [1] and WARNINGs [2] sections in the openssl-ca documentation. I think that I can handle the problems described there but would still be interested if you have any concerns beyond those warnings and the functional limitations I am currently running into.
Also what (open source) ca software do you recommend instead?

Thanks again


[1] https://www.openssl.org/docs/man1.0.2/man1/ca.html#RESTRICTIONS
[2] https://www.openssl.org/docs/man1.0.2/man1/ca.html#WARNINGS




More information about the openssl-users mailing list