Root CA CRLs

I'm setting up a two-tier PKI hierarchy. The root will be offline and
will sign the issuing CA certificate. What is the best-practice for the
root Certificate Revocation List and revoking the root certificate?

Should I immediately revoke the root certificate after creating the
issuing CA and store it in a secure location in case the passphrase is lost?

Should I create a certificate revocation list from the root or only on
the issuing CA? I certainly don't want to have to retrieve the root
authority to update the list, but will the clients handle this OK if the
root public key is in the browser but the issuing CA revokes
certificates and publishes the list? I would think so, since the chain
should be intact.

Thanks in advance.

Relevant Pages

  • Re: Change validatiy period of a Root certificate
    ... Many thanks Brian, ... the sample capolicy.inf files for a Root CA that the CDP and AIA are set to ... REnew the root CA with the same key pair ... way I can renew the Root certificate extending the validity period. ...
  • Re: Certificates
    ... This is really a security question, but all you are doing is extending the life of the current root. ... As long as you don't expire the previous root things will go on working as norm and there is nothing you need to do. ... If I renew the root certificate authority, ...
  • Re: Employment Strategies For One Time Pads
    ... If your root certificate ... a man-in-the-middle attack is possible. ... If you have a nice guy like John Walker handling your root ...
  • CAPICOM: how to check root certificate validity and existence?
    ... I'm trying to verify the validity of a Root Certificate, ... I mean, if I have a valid Root cert in my trusted root store, I always ...
  • RE: shutting down a trusted CA and raising a new trusted CA
    ... yes the issuing CA is stored offline. ... > for certificate delpoyment. ... > regardless of whether the root CA is offline or not as it is now not the one ...