0
I have the following issue: I have a self-signed CA (certificate authority) mainly for persoanl use (mail encryption and signing, ...). I created several ceertificates and the CRLs (which are empty for now) and published all them.
Now I have the problem, that I get the message from kleopatra
(X509 certificate manager under linux), that the CRLs are outdated and therefore unused. Futher I guess that all certificates with the outdated CRL are temporarily rejected/revoked until the updated CRL can be fetched over HTTP (in my case).
Now I want to know how this is posible in a professional context. To create a new CRL using a script I would have to put the unencrypted (!) private key of my root CA onto a production server to generate teh CRLs using a cron script. I cannot belive that this is necessary to run a professional CA, or is it?
As soon as any problem on this server arises the whole root certificate would be compromized. This would result in a compete resetup of all certificates and all applications having installed this root certificate would have to be alter manually. For a (trusted) root certificate there cannot be a CRL itself so we cannot revoke it in the classical sense.
Hope you can explain me the things.
Ahh, I see. That's bad. The problem is I do have a home server but only one. I thought in first place it would be sufficient to create the CRLs once and use them until a revocation is needed. Then it has to be updated, clearly. Now I was not aware that it is necessary to keep the CRLs up-to-date even if no modifications are present. I will have to rethink my whole infrastructur now, I guess... – Christian Wolf – 2014-03-17T15:00:32.990
CRLs have an expiration date. Like the lifetime of a certificate you could set the expiration date way into the future - but then you have to ask why do you use CRLs at all if never should be checked for updated CRLs. – Steffen Ullrich – 2014-03-17T15:21:29.967
I want CRLs to be checked but as long as no further certificates have been revoked I thought that the CRLs can stay constant. Now I see that by defining the lifetime of the CRLs I also defined the update interval of them. – Christian Wolf – 2014-03-18T14:08:56.950