On 10.03.2022 20:17, Michael Ströder via openssl-users wrote: > > Are you 100% sure all the software used by your relying participants is > capable of handling the X509v3 extensions involved? > > In practice I saw software miserably fail validating such certs and CRLs. Or > also CAs failed to generate the certs and CRLs correctly. :-/ > That is a very good point you are making - thank you for this input. On 10.03.2022 20:27, Michael Wojcik wrote: > Personally, I'd be leery of using openssl ca for anything other than dev/test purposes, in which case frequent CRL generation seems unlikely to be a requirement. AIUI, openssl ca isn't really intended for production use. I did see the RESTRICTIONS [1] and WARNINGs [2] sections in the openssl-ca documentation. I think that I can handle the problems described there but would still be interested if you have any concerns beyond those warnings and the functional limitations I am currently running into. Also what (open source) ca software do you recommend instead? Thanks again [1] https://www.openssl.org/docs/man1.0.2/man1/ca.html#RESTRICTIONS [2] https://www.openssl.org/docs/man1.0.2/man1/ca.html#WARNINGS
