I've just created a self-signed CA for my environment. The root cert was created with 8192 bit RSA.
Importing the crl to Firefox and accessing sub-keys works like a charm. Accessing a server with a sub-key via https for example results in an endless loop in safari. I've also tried to import the root crl to my keychain which results in an error and an unusable system: every Apple app like Safari, directoryUtil, Keychain Access get stuck when accessing a SSL certificate or a ssl-enabled service.