FIA_X509_EXT.1 Test 4 indicates "If CRL is selected, the evaluator shall configure the CA to sign a CRL with a certificate that does not have the cRLsign key usage bit set, and verify that validation of the CRL fails." There are some root CAs that do not contain a key usage extension.

Test 4 is replaced as follows:

Test 4: [conditional] If OCSP is selected, the evaluator shall configure the OCSP server or use a man-in-the-middle tool to present a certificate that does not have the OCSP signing purpose and verify that validation of the OCSP response fails. If CRL is selected and the CA contains a Key Usage extension, the evaluator shall configure the CA to sign a CRL with a certificate that does not have the cRLsign key usage bit set, and verify that validation of the CRL fails. If the CA is a root CA with no Key Usage extension, this test is not performed.

It is acceptable to allow root CAs (trust anchors) to issue CRLs without the root CA certificate containing KeyUsage. However, if a root CA certificate contains the KeyUsage extension, it must have the cRLSign bit set.