Discuss this help topic in SecureBlackbox Forum

Configure CRL extensions

CRL specification (RFC 2459, RFC 3280 and later) allows to include custom information to the compliant certificate revocation lists. This is done via the so-called 'extensions'. Extensions can be added to the whole CRL or to the individual revocation records it contains.

In addition to the extensions mechanism itself, the standard also defines a small set of pre-defined extensions.

Extensions can be added on the CRL preparation stage, before it is signed and serialized to binary format.

A list of CRL-wide extensions is accessible via the TElCertificateRevocationList.Extensions property. It allows to directly set the pre-defined extensions (AuthorityKeyIdentifier, IssuerAlternativeName, CRLNumber and others) and add your own extensions. Those are represented by the OtherExtensions property. Note, that you must use unique OIDs for the custom extensions you add; they should not conflict with any of those already defined.

Per-entry extensions are accessible through the corresponding entry's TElRevocationItem.Extensions property. Just like with CRL-wide extensions there's a small set of standardized extension objects. And you can add your own ones using the OtherExtensions property.

Note, the Critical property of every extension object sets a requirement for the CRL processing application to understand this particular extension. If the extension's Critical field is set to true, and the CRL processor does not support this type of extension, it is required to reject the whole CRL.

The code snippet below illustrates the use of Extension objects, both CRL-wide and per-entry ones.

// Setting CRL-wide extensions
crl.Extensions.CRLNumber.Number = 883;
crl.Extensions.Included = SBCRL.Unit.crlCRLNumber; // indicating that we are including a standard CRLNumber extensions
crl.Extensions.OtherCount = 1;
crl.Extensions.get_OtherExtensions(0).OID = SBStrUtils.Unit.StrToOID("1.2.999999.");
crl.Extensions.get_OtherExtensions(0).Value = SBASN1Tree.Unit.FormatAttributeValue(SBASN1Tree.Unit.SB_ASN1_UTF8STRING, StrToUTF8("very important extension"));
crl.Extensions.get_OtherExtensions(0).Critical = true;

// Setting per-entry extensions
int index = crl.Add(cert);
crl.get_Items(index).Extensions.ReasonCode.Reason = SBX509Ext.TSBCRLReasonFlag.rfKeyCompromise;
crl.get_Items(index).Extensions.Included = SBCRL.Unit.crlReasonCode;

How To articles about certificate revocation lists (CRLs)

Discuss this help topic in SecureBlackbox Forum