Root CA CRLs
- From: Seeker <newsgroups@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 25 Oct 2006 17:35:19 GMT
I'm setting up a two-tier PKI hierarchy. The root will be offline and
will sign the issuing CA certificate. What is the best-practice for the
root Certificate Revocation List and revoking the root certificate?
Should I immediately revoke the root certificate after creating the
issuing CA and store it in a secure location in case the passphrase is lost?
Should I create a certificate revocation list from the root or only on
the issuing CA? I certainly don't want to have to retrieve the root
authority to update the list, but will the clients handle this OK if the
root public key is in the browser but the issuing CA revokes
certificates and publishes the list? I would think so, since the chain
should be intact.
Thanks in advance.