Which CRL should an intermediate CA crlDistributionPoint contain?

Question

Given a root certificate authority (CA) and an intermediate CA signed by the root:

1. Which CRL should the crlDistributionPoints contain to for the intermediate CA? The root CA's CRL or the intermediate CA's CRL?

   It makes sense that each certificate should point to the CRL of the CA that signed it.

2. Which CRL should the root CA contain, if any?

   It would seem that since it is self-signed, it should point to it's own CRL.

3. Should user or server certificates signed by the intermediate CA point to the intermediate CA's CRL, or both the intermediate's and the root's CRLs?

Please cite the RFC if you can. I can't find a clear answer there myself.

Asked another way, where would a client look for a CRL to see if a given certificate has been revoked? In the certificate itself or in the signing CA's certificate?

Answer 1

Which CRL should the crlDistributionPoints contain to for the intermediate CA? The root CA's CRL or the intermediate CA's CRL?

The crlDistributionPoints must point to the CRL which will contain the revocation for the certificate itself. Thus in case of an intermediate CA this will probably be the CRL signed by the issuer CA, although it can be any other CA as long as a trust path can be constructed.

Which CRL should the root CA contain, if any?

The root CA can not be revoked. Trust for the root CA is not established through certificates but because it is integrated as pre-trusted in the browser or OS. This means if the root CA gets corrupted it must be removed from the browser/OS without any kind of CRL mechanism.

Should user or server certificates signed by the intermediate CA point to the intermediate CA's ...

Again, they should point to the CRL which will eventually contain the revocation record. Which CRL this is depends on how the revocation is implemented at the CA.

where would a client look for a CRL to see if a given certificate has been revoked?....

The client looks into the possible revoked certificate and extracts the crlDistributionPoints from inside this certificate. Then it downloads the CRL from this point and checks if it contains the serial number of the certificate.