Automating CRL signing

[krausejw]

I would like to resign an existing CRL with a longer validity period. This CRL will only be used in DR situations. I would like to make it valid for a period long enough to ensure that the CA environment is restored before CRL's become invalid.

I am familiar with the certutil -sign tool, but that opens a window that requires that the signing certificate be selected. I haven't found a way to pass the certificate and avoid the window.

I am also aware that I could manipulate the registery and publish, but we have an HSM installed and the CA would need to be restarted for the settings to be effective. Our HSM requires that PED cards to be inserted to access the private key. So, once again, I cannot automate it.

Has anyone run into this problem and worked out a solution? I am not a strong developer, so I suspect that there are other ways to crack this egg, that I am not familiar with.

[Carley]

For your purpose it is better to go for some automated tools. I am right now using CRL Monitor. A easy to use tool which can automate crl signing. But other than this it also offers you a trusted infrastructure. I am using this tool for quiet some time and found this very useful in most of the cases.