I have a question regarding publishing CRL of Offline Root CA.
Friend of mine said to me that Automatic publishing of CRLs (for exmple every 180 days) should be disabled (how to do that?).
He showed me a few Verisign certificates that do not have CDP defined.
I think that CRL from Offline Root CA SHOULD (MUST) be published to confirm validity of all certificates that were issued (signed) by Offline Root CA.
My Offline Root Ca is configured CRL publication interval of 180 days. Offline Root CA is not connected to the network and turned of all the time.
When I’m publishing CRL from Offline Root CA, I’m manually copying it to CDP, which is online location on network (IIS). In a event of revocation of some subordinate CAs, I would manually force publish of CRL.
Should I or should I not configure autopublish interval of CRL on Oflline Root CA? Is there a way to disable it?