How to update CRL automatically?

I have the following issue: I have a self-signed CA (certificate authority) mainly for persoanl use (mail encryption and signing, ...). I created several ceertificates and the CRLs (which are empty for now) and published all them.

Now I have the problem, that I get the message from kleopatra (X509 certificate manager under linux), that the CRLs are outdated and therefore unused. Futher I guess that all certificates with the outdated CRL are temporarily rejected/revoked until the updated CRL can be fetched over HTTP (in my case).

Now I want to know how this is posible in a professional context. To create a new CRL using a script I would have to put the unencrypted (!) private key of my root CA onto a production server to generate teh CRLs using a cron script. I cannot belive that this is necessary to run a professional CA, or is it?

As soon as any problem on this server arises the whole root certificate would be compromized. This would result in a compete resetup of all certificates and all applications having installed this root certificate would have to be alter manually. For a (trusted) root certificate there cannot be a CRL itself so we cannot revoke it in the classical sense.

Hope you can explain me the things.

Christian Wolf

Posted 2014-03-17T10:25:15.550

Reputation: 268

Answers

A CRL is not created on-demand, but regularly and usually within the same (hopefully safe) infrastructure where certificates get signed. After the CRL is created and signed it gets propagated to the public accessible servers where users can access it then. So there is no need to put the private key of the CA on a public server.

Steffen Ullrich

Posted 2014-03-17T10:25:15.550

Reputation: 3 897

Ahh, I see. That's bad. The problem is I do have a home server but only one. I thought in first place it would be sufficient to create the CRLs once and use them until a revocation is needed. Then it has to be updated, clearly. Now I was not aware that it is necessary to keep the CRLs up-to-date even if no modifications are present. I will have to rethink my whole infrastructur now, I guess... – Christian Wolf – 2014-03-17T15:00:32.990

CRLs have an expiration date. Like the lifetime of a certificate you could set the expiration date way into the future - but then you have to ask why do you use CRLs at all if never should be checked for updated CRLs. – Steffen Ullrich – 2014-03-17T15:21:29.967

I want CRLs to be checked but as long as no further certificates have been revoked I thought that the CRLs can stay constant. Now I see that by defining the lifetime of the CRLs I also defined the update interval of them. – Christian Wolf – 2014-03-18T14:08:56.950