Subordinate CAs and CRL distribution points.

Help
Sascha
2010-08-25
2013-03-09
  • Sascha
    Sascha
    2010-08-25

    I have a question:

    Suppose I create a self-signed CA (root), a sub-CA, and a client certificate. What would I fill in for the CRL distribution points of the CA certificates? Is this value the URL to where its own CRL will be published, or its parents?

    Situation 1: The root has no CRL distribution point set. The sub-CA has its CRL distribution point set to where the root publishes its CRL. The client has its CRL distribution point set to where the sub-CA publishes its CRL.

    Situation 2: The root has a CRL distribution point set to where it publishes its CRL. The sub-CA has its CRL distribution point set to where it publishes its CRL. The client has its CRL distribution point set to that of the sub-CA.

    If you could help me out, I'd be much obliged.

    Thank you for XCA! It's a great tool simplifying a complex subject!

    Sascha Sanches

     
  • The CRL distribution point provides information about the validity of the certificate containing the CRLdist.point extension.
    So situation 1 is correct.

     
  • Sascha
    Sascha
    2010-08-25

    Ok, thank you for clarifying that.