Should root certificates have OCSP or CRL for it?

Question

Should root certificates have OCSP or CRL for its own revocation status?

So here is what I mean:

Intermediate Cert -> http://example.com/root.crl
SAN Cert -> https://example.com/intermediate.crl

But should you create a crl database for root?

Root Cert -> http://example.com/root.crl

Like the above?

score 1 · Accepted Answer · answered Feb 06 '21 at 12:54

1

No, root CA never includes CDP and AIA extensions in their CA certificate, because it provides zero value. Most revocation checking tools skip root CA certificate checking, because root CA revocation is an undefined operation.

answered Feb 06 '21 at 12:54

Crypt32

5,750
12
24

That is interesting. – Example person Feb 06 '21 at 12:56
Are you absolutely sure about that though? I want to make sure before I generate that root cert. – Example person Feb 06 '21 at 12:57

Should root certificates have OCSP or CRL for it?

1 Answers1