If I implement a PKI with multiple levels of CAs, do I need to have a CRL for each individual CA or can I just have one CRL for the entire hierarchy (i.e. point all certificates to a single CRL), or only a few at the upper levels of the hierarchy?
Asked
Active
Viewed 320 times
1 Answers
6
Each CA will need to publish its own CRL.
The reason that it's not possible from a technical perspective to combine multiple CRLs is that each CRL needs to be cryptographically signed by the CA that generated it, so it's a 1-CA-to-1-CRL relationship.
Shane Madden
- 114,520
- 13
- 181
- 251
-
2It is quite common to publish all the CRLs to the same website, though - as long as that location is the location specified in the CDP of any issued certificates. – TristanK Mar 26 '11 at 14:19