at work I am testing using a light sub-ca with openvpn to limit the scope
of hosts that can auto request a certificate.
So far so good, really impressed with how well it works.
The question I cannot answer is: are there specific urls for crl/ocsp for
sub-cas, or do the 'generic' crl/ocsp url apply to sub-cas as well?
Thanks for your support.