Ars Technica

Two-tier OpenSSL PKI: how to revoke IntermediateCA when RootCA is airgapped?

I'm trying to set up a basic OpenSSL two-tier PKI but I'm not understanding how CRLs work in an airgapped RootCA; how can I revoke an IntermediateCA in a way that everyone knows it has been revoked?
Ars Technica

Internal PKI certificate question

We've got a offline root and issuing CA that are still running Sha1 for hashing. They're really only being used for user tokens for authentication so the SHA1 isn't a huge thing. However now I need to ...