CRL, OCSP and PKIX (Score 3, Informative)

Regarding the use of the CRL distribution point extension, a URI that points to a DNS alias can help alleviate the risk.

"OSPF" was likely a botched reference to OCSP (Online Certificate Status Protocol), defined in RFC 2560.

Finally, read the PKIX spec on certificate management, RFC 3280. It will give you a much more detailed understanding of how PKI should work than any vendor docs. This level of understanding is critical if you start playing the role of CA.

If you do your homework, and understand how things work, OpenSSL is an adequate tool.