Only due to private interests and the use in my own network, I create a certificate chain with openssl (root certification body → intermediate certification body → server certificate). I want the certificate chain to be traceable and to be able to revoke certificates.
At the moment, I'm not sure which CRL distribution points (
crlDistributionPoints in openssl configuration language) and OSCP URIs (
authorityInfoAccess = OCSP;URI: ... and
authorityInfoAccess = OCSP;caIssuers: ...) are the correct ones that have to be defined when creating a certificate. When I examine the certificates of some public websites, the following seems the right way to me. Would you please check if I'm right?
Root CA certificate:
- CRL: Root CA CRL or none at all
- OCSP-URI: OCSP-URI of the root certification authority or none at all
- CA issuer: URI of the root CA certificate or none at all
CA intermediate certificate:
- CRL: Root CA CRL
- OCSP-URI: OCSP-URI of the root certification authority
- CA issuer: URI of the root certification authority
- CRL: Intermediate CA CRL
- OCSP-URI: OCSP-URI of the intermediate CA *)
- CA issuer: URI of the intermediate CA.
*) It appears that an OCSP responder can process OSCP requests for the root and the intermediate CA. If so, I could use the root certification authority's OSCP URI, right?
Therefore, all certificate data "one level higher" must point to the place where their own validity can be checked. Is that correct?
And by the way, is there an OCSP responder that you can recommend? I tried openssl & # 39; s own and that of openca, but both had drawbacks for me.
Thanks in advance!