Discuss this help topic in SecureBlackbox Forum

Add certificate to CRL

To add new certificate to a CRL, use TElCertificateRevocationListEx class (SBCRLEx namespace; PKI package).

  1. Load an existing CRL or create a new one.
  2. Load the certificate you want to revoke into a TElX509Certificate object (no private key is needed):
    TElX509Certificate cert = new TElX509Certificate();
    cert.LoadFromFileAuto("cert.cer", "");
  3. Add it to the CRL with the CRL object's Add() method. The call will return the index of the new certificate in the list. int index = crl.Add(cert); You can set the revocation details of the new entry by getting the corresponding TElRevocationItem object and tuning it up:
    TElRevocationItem item = crl.get_Items(index);
    item.RevocationDate = DateTime.UtcNow;
    item.Extensions.Included = SBCRL.Unit.crlReasonCode;
    item.Extensions.ReasonCode.Reason = SBX509Ext.TSBCRLReasonFlag.rfKeyCompromise;
    Note, you can add multiple certificates on this stage.
  4. Load your CA certificate into a TElX509Certificate object. The availability of its private key is mandatory!
    TElX509Certificate caCert = new TElX509Certificate();
    caCert.LoadFromFileAuto("cacert.pfx", "password");
  5. Use your CA certificate to save the new version of the CRL with its SaveToStream() method:
    FileStream f = new FileStream("cacert.crl", FileMode.Create);
      crl.SaveToStream(f, cacert);

The standard doesn't require that the certificates included in the CRL are issued with the same CA certificate. Hence you can include the certificates from differenct CAs into the same CRL. In this case you need to provide the name of the certificate issuer via the TElRevocationItem.Extensions.IssuerName property. If the issuer name isn't specified, and two certificates have the same serial numbers, a conflict will arise.

For more information on CRLs see RFC 3280.

How To articles about certificate revocation lists (CRLs)

Discuss this help topic in SecureBlackbox Forum