Discuss this help topic in SecureBlackbox Forum

Create CRL

CRL (Certificate Revocation List) is a public document which contains a list of certificates that have been revoked by a particular CA. CRLs are created and maintained by respective CAs, and are normally updated on a regular basis to reflect the most recent changes in certificate statuses.

Each CRL contains a set of serial numbers of certificates that have been revoked by the CA to the date on which the CRL was issued. This implies that each CRL grows with time as new serial numbers are added to it. For each certificate, along with its serial number, the reason for its revocation is often included.

SecureBlackbox works with CRLs via its TElCertificateRevocationList (SBCRL namespace) and TElCertificateRevocationListEx (SBCRLEx namespace) components. The first component (which is included in the base package) is only capable of reading CRLs. The second one, included to the PKI package, is also capable of editing and generating them.

Here is a step-by-step example of how to create a brand new CRL using SecureBlackbox:

  1. Create an instance of TElCertificateRevocationListEx class: TElCertificateRevocationListEx crl = new TElCertificateRevocationListEx();
  2. Add revoked certificates using its Add() method. Certificates can be added as TElX509Certificate objects or by their plain serial numbers:
    On this stage you can also adjust CRL extensions and time values:
    crl.ThisUpdate = DateTime.UtcNow;
    crl.NextUpdate = DateTime.UtcNow.AddDays(2);
  3. Load the certificate you want to sign the CRL with into a TElX509Certificate object (either from a file or from some other media like a system certificate store). Note that this certificate must have an associated private key with it.
    TElX509Certificate caCert = new TElX509Certificate();
    caCert.LoadFromFileAuto("cacert.pfx", "password");
  4. Save your CRL to stream with its SaveToStream() method. Any type of writable stream can be used.
    FileStream f = new FileStream("cacert.crl", FileMode.Create);
      crl.SaveToStream(f, caCert);
    That's it, the cacert.crl file now contains your signed CRL.

How To articles about certificate revocation lists (CRLs)

Discuss this help topic in SecureBlackbox Forum