Create and save a CRL

Navigation

Certificate Revocation Lists (CRLs) allow the Certificate Authorities notify the certificate consumers that the certificates are revoked (not valid anymore).

CRLs are issued and updated from time to time by the CA. Location of the CRL is specified in the CA certificate, as one of extensions.

To create a CRL, create an instance of TElCertificateRevocationList class.

Then you need to set all parameters of the CRL, such as time of last update and expected next update of the CRL (ThisUpdate and NextUpdate properties of TElCErtificateRevocationList). SignatureAlgorithm specifies the algorithm used to sign the CRL when it is saved. You must set the name of the CRL issuer (Issuer property of TElCErtificateRevocationList class). This name should correspond to the name in the certificate, used to sign the CRL (see below). Alternative names can be provided via Issuer Alternative Name extension. Extensions are optional and can be set using Extensions property of TElCErtificateRevocationList class. For more information about extensions see the corresponding how-to article.

Add CRL records, which contain information about individual revoked certificates, using Items[] property of TElCertificateRevocationList class. Detailed information about adding items to the CRL is provided in the corresponding how-to article.

To save the CRL, call corresponding SaveToStream*() or SaveToBuffer*() methods of TElCertificateRevocationList. Asterisk denotes format name or nothing in case of DER format.

CRLs can be stored in DER and PEM formats. For description of various formats of CRLs see corresponding how-to article.

When you save the CRL, you must provide a certificate, which will be used to sign the CRL. The Certificate authority may use the same CA certificate and private key to sign the issued certificates and to sign the CRL for these certificates. Alternatively, different certificates and private keys may be used, but using different certificates complicates the certificate validation process and so it should be avoided.

For more information about CRLs see RFC 3280.