On 3/10/22 14:06, edr dr wrote:
I would like to be able to automate the process of updating CRLs in
order to be able to keep the CRL validity time short.
Understandable.
At the same time, I do not want to store passwords used for
certificate creation in cleartext anywhere.
It's a pity that there is not something like an OpenSSL key agent
(similar to ssh-agent) for interactively loading the CA's private key
into memory during service start.
My current approach to achieve this is a separate CA only responsible for revocation.
My understanding is that such a CA is called an "indirect CRL issuer"
Are you 100% sure all the software used by your relying participants is
capable of handling the X509v3 extensions involved?
In practice I saw software miserably fail validating such certs and
CRLs. Or also CAs failed to generate the certs and CRLs correctly. :-/
Ciao, Michael.
