Discuss this help topic in SecureBlackbox Forum

Use CRLs in certificate validation

When the certificate is validated, you must check if it's issuer certificate contains information about possible CRL location. This location is specified in CRLDistributionPoints extension of the X.509 certificate. With SecureBlackbox you need to use TElX509Certificate.Extensions.CRLDistributionPoints property. This extension, if present, will contain information about where to retrieve the CRL, in which the certificates, signed with this issuer certificate, may appear.

The standard (RFC 3280) describes a sophisticated concept of CRL distribution points, but in real life there's usually one point with the URL of the CRL included.

So you need to retrieve all CRLs, identified by the above mentioned extension and load them to TElCertificateRevocationList.

To load the CRL, call corresponding LoadFromStream*() or LoadFromBuffer*() method of TElCertificateRevocationList. Asterisk denotes format name or nothing in case of DER format.

CRLs can be stored in DER and PEM formats. For description of various formats of CRLs see the corresponding how-to article.

After the CRL is loaded, you need to check, if the CRL contains the certificate that you are validating. The check can be done using IsPresent or IndexOf method. You can access the data records, that correspond to the individual certificates, using TElCertificateRevocationList.Items property. Each item represents one certificate. The item is represented by TElRevocationItem.

If the certificate is present in the list, you need to check revocation date (TElRevocationItem.RevocationDate property, accessible via the above mentioned Items property). Also, the CRL item may contain an InvalidityDate extension (TElRevocationItem.Extensions.InvalidityDate), which, if present, specifies when the certificate has become invalid.

So, if the certifiate was not found in the list, you can continue validation of the certificate chain. If the certificate was found in the CRL, you need to check the date when it became revoked, and act accordingly.

If the CRL information could not be located, there's one more way to check certificate status. It's OCSP (online certificate status protocol). It's use for certificate validation is described in the corresponding how-to article

For more information about CRLs see RFC 3280.

How To articles about certificate revocation lists (CRLs)

Discuss this help topic in SecureBlackbox Forum