So, the RFC5280 and its figure 1 and later in the RFC, we can read that it's possible to delegate CRL issuance to an other certificate: the CRL issuer.
But I have several questions about the CRL issuer and the figure 1.
For example, there is the following chain:
Root CA -> Intermed.1 CA -> Interm.2 CA -> End-entity
and I want to delegate CRL issuance of Intermed.1 CA. Can CRL issuer be signed by the Root CA or ONLY By Intermed.1 CA?
Can the CRL issuer be delegates of multiple CA? In other words, the CRL issuer would be used for each CA issued by Root CA => Intermed.1a CA, Intermed.1b CA, Intermed.1c CA
Can the same CRL issuer be used for different levels of the chain? The CRL issuer would be used as a delegate of Intermed.1 CA and Intermed.2 CA.
Thank you very much.
Does the CRL issuer MUST be signed by the CA it delegates?
no, it doesn't. CA may delegate CRL signing to any trusted authority. What is necessary: client must have CRL signer certificate in local cache to validate the CRL signature. And this signer must be trusted by clients. This requirement is necessary, since clients cannot utilize Authority Information Access extension to retrieve required certificates.
Can the CRL issuer be delegates of multiple CA? In other words, the CRL issuer would be used for each CA issued by Root CA => Intermed.1a CA, Intermed.1b CA, Intermed.1c CA
sorry, I don't understand this question. If you ask whether all CAs in the chain can use delegated CRL Issuer, then the answer is yes.
Can the same CRL issuer be used for different levels of the chain? The CRL issuer would be used as a delegate of Intermed.1 CA and Intermed.2 CA.
yes. Same delegated entity can be a CRL Issuer for multiple different CAs. And every single CA can delegate CRL signing to multiple CRL Issuers.