Next: OCSP certificate status checking, Previous: PKCS 10 certificate requests, Up: More on certificate authentication [Contents][Index]
A certificate revocation list (CRL) is a structure issued by an authority periodically containing a list of revoked certificates serial numbers. The CRL structure is signed with the issuing authorities’ keys. A typical CRL contains the fields as shown in tab:crl. Certificate revocation lists are used to complement the expiration date of a certificate, in order to account for other reasons of revocation, such as compromised keys, etc.
A certificate request can be generated by associating it with a private key, setting the subject’s information and finally self signing it. The last step ensures that the requester is in possession of the private key. Each CRL is valid for limited amount of time and is required to provide, except for the current issuing time, also the issuing time of the next update.
| Field | Description |
|---|---|
| version | The field that indicates the version of the CRL structure. |
| signature | A signature by the issuing authority. |
| issuer | Holds the issuer’s distinguished name. |
| thisUpdate | The issuing time of the revocation list. |
| nextUpdate | The issuing time of the revocation list that will update that one. |
| revokedCertificates | List of revoked certificates serial numbers. |
| extensions | Optional CRL structure extensions. |
Table 6.1: Certificate revocation list fields.
gnutls_x509_crl_set_versiongnutls_x509_crl_set_crt_serialgnutls_x509_crl_set_crtgnutls_x509_crl_set_next_updategnutls_x509_crl_set_this_updateThe gnutls_x509_crl_sign2 and gnutls_x509_crl_privkey_sign functions sign the revocation list with a private key. The latter function can be used to sign with a key residing in a PKCS #11 token.
crl: should contain a gnutls_x509_crl_t structure
issuer: is the certificate of the certificate issuer
issuer_key: holds the issuer’s private key
dig: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you’re doing.
flags: must be 0
This function will sign the CRL with the issuer’s private key, and will copy the issuer’s information into the CRL.
This must be the last step in a certificate CRL since all the previously set parameters are now signed.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
crl: should contain a gnutls_x509_crl_t structure
issuer: is the certificate of the certificate issuer
issuer_key: holds the issuer’s private key
dig: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you’re doing.
flags: must be 0
This function will sign the CRL with the issuer’s private key, and will copy the issuer’s information into the CRL.
This must be the last step in a certificate CRL since all the previously set parameters are now signed.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since 2.12.0
Few extensions on the CRL structure are supported, including the CRL number extension and the authority key identifier.
gnutls_x509_crl_set_numbergnutls_x509_crl_set_authority_key_idNext: OCSP certificate status checking, Previous: PKCS 10 certificate requests, Up: More on certificate authentication [Contents][Index]