Hi All,
I want to extend a CRL I am unable to export the private key. If a CA was previously unavailable to issue a CRL, I could extend the existing CRL manually by exporting the private key and signing the CRL extension using “Certutil–sign –f <crl file name> <output file name> dd:hh”. But Now I am using HSM’s, I can no longer export the key and want to be able to manually extend the CRL in similar circumstances.
Has anyone seen this or know how to do this when I am using HSM devices? Is this just a bad idea which HSM don’t support?
“what I want to know is what if CA server is down and it is not able to publish the new CRL? Normally we will manually extend the CRL to longer period so that we have time to bring up the CA, and the only option to extend the manual CRL is we need the CA certificate private key to sign the CRL file.”