Confirm, administrator
5,526
edits
Changes
added section
** <code>rm random check signed publicKey.pem</code>
*** If cmp produces no output then the signature matches.
=== Updating CRL Entries ===
Section 6.1.1 says:
* ''When the CA obtains verifiable evidence of private key compromise for a certificate whose CRL entry does not contain a reasonCode extension or has a reasonCode extension with a non-keyCompromise reason, the CA SHOULD update the CRL entry to enter keyCompromise as the CRLReason in the reasonCode extension. Additionally, the CA SHOULD update the revocation date in a CRL entry when it is determined that the private key of the certificate was compromised prior to the revocation date that is indicated in the CRL entry for that certificate. Note: Backdating the revocationDate field is an exception to best practice described in RFC 5280 (section 5.3.2); however, this policy specifies the use of the revocationDate field to support TLS implementations that process the revocationDate field as the date when the certificate is first considered to be compromised.''
Here are some clarifications about that paragraph:
* The CRLReason may only be changed from a non key compromise reason to the keyCompromise reason.
* The exception to the best practice described in RFC 5280 (section 5.3.2) only applies when the CRLReason is keyCompromise.
** When setting the date for an initial revocation for CRLReason keyCompromise the revocationDate may be in the past.
** Backdating for any other CRLReason is not endorsed by Mozilla.
* The revocation date may only be changed when the current or updated CRLReason is keyCompromise.
** The revocation date may be changed to a date that is before the current/existing revocationDate. It should never be changed to a date that is later than a previously set date.
== OCSP ==
