6.2 PKIX certificate revocation lists

A certificate revocation list (CRL) is a structure issued by an authority periodically containing a list of revoked certificates serial numbers. The CRL structure is signed with the issuing authorities’ keys. A typical CRL contains the fields as shown in Table 6.1. Certificate revocation lists are used to complement the expiration date of a certificate, in order to account for other reasons of revocation, such as compromised keys, etc.

A certificate request can be generated by associating it with a private key, setting the subject’s information and finally self signing it. The last step ensures that the requester is in possession of the private key. Each CRL is valid for limited amount of time and is required to provide, except for the current issuing time, also the issuing time of the next update.

Table 6.1: Certificate revocation list fields.

• gnutls_x509_crl_set_version
• gnutls_x509_crl_set_crt_serial
• gnutls_x509_crl_set_crt
• gnutls_x509_crl_set_next_update
• gnutls_x509_crl_set_this_update

The gnutls_x509_crl_sign2 and gnutls_x509_crl_privkey_sign functions sign the revocation list with a private key. The latter function can be used to sign with a key residing in a PKCS #11 token.

• gnutls_x509_crl_sign2

• gnutls_x509_crl_privkey_sign

Few extensions on the CRL structure are supported, including the CRL number extension and the authority key identifier.

• gnutls_x509_crl_set_number
• gnutls_x509_crl_set_authority_key_id

This document was generated on January 4, 2012 using texi2html 5.0.