When to use a CRL distribution point in a root certificate?
I understand that each certificate can have a CRL distribution point (extension 2.5.29.31) – or even multiple ones, but let's not consider that for the moment. Let's assume we have a root CA > intermediate CAs > and leaf certificates.
My understanding is that the root CA issues (signs) any intermediate CAs. It also maintains a list of revoked certificates (a CRL), and that this list holds only certificates which it had originally signed (or: is the issuer of).
Furthermore, the root CA's CRL is published at an URI that is included as a CRL distribution point in the certificates this root CA has signed, which are the intermediate CA certificates in our example.
Consequently, the leaf certificates will have the CRL URI of their issuer intermediate CAs in their CRL distribution point.
Since the root CA certificate is self-signed, I am unsure if a CRL distribution point in the root certificate makes sense or not. Searching through the system trust store of my computer, I notice that some root CA certificate have CRL distribution points and some don't. Why is that?
