~~NOTOC~~
====== 6. Revocation ======
**Scenarios:** 4 \\
**FFI Functions:** ~35 \\
**Status:** ⏳ Planned
This category covers all scenarios for certificate revocation. CRL creation, OCSP responder setup, and Delta-CRL management.
----
===== Scenarios =====
^ ID ^ Scenario ^ Description ^ Complexity ^ Status ^
| [[.:crl_erstellen|6.1]] | Create CRL | Generate Certificate Revocation List | ⭐⭐⭐ | ⏳ |
| [[.:ocsp_responder|6.2]] | OCSP Responder | Online Certificate Status Protocol | ⭐⭐⭐⭐ | ⏳ |
| [[.:delta_crl|6.3]] | Delta CRL | Incremental CRL updates | ⭐⭐⭐⭐ | ⏳ |
| [[.:zertifikat_widerrufen|6.4]] | Revoke Certificate | Revoke individual certificate | ⭐⭐ | ⏳ |
----
===== Revocation Architecture =====
flowchart TB
subgraph CA["🔐 Certificate Authority"]
REVOKE[Revocation Request]
DB[(Revocation DB)]
CRL_GEN[CRL Generator]
OCSP_SIGN[OCSP Signer]
end
subgraph DIST["📤 Distribution"]
CDP[CRL Distribution Point]
OCSP_SRV[OCSP Responder]
end
subgraph CLIENT["🖥️ Client"]
VAL[Validator]
end
REVOKE --> DB
DB --> CRL_GEN --> CDP
DB --> OCSP_SIGN --> OCSP_SRV
VAL --> |HTTP GET| CDP
VAL --> |OCSP Request| OCSP_SRV
style DB fill:#e3f2fd
style CDP fill:#e8f5e9
style OCSP_SRV fill:#fff3e0
----
===== Revocation Reasons (RFC 5280) =====
^ Code ^ Reason ^ Description ^
| 0 | unspecified | No reason specified |
| 1 | keyCompromise | Private key compromised |
| 2 | cACompromise | CA compromised |
| 3 | affiliationChanged | Organization changed |
| 4 | superseded | Replaced by new certificate |
| 5 | cessationOfOperation | Service discontinued |
| 6 | certificateHold | Temporarily suspended |
----
===== CRL vs OCSP =====
^ Aspect ^ CRL ^ OCSP ^
| **Update** | Periodic (hours/days) | Real-time |
| **Size** | Grows with revocations | Constant (~4 KB) |
| **Offline** | ✅ Possible | ❌ Server required |
| **Privacy** | ✅ No requests visible | ⚠️ Server sees requests |
| **Standard** | RFC 5280 | RFC 6960 |
----
===== Industry-Specific Requirements =====
^ Industry ^ Method ^ Update Interval ^ Special Features ^
| **Energy/SCADA** | CRL | 24-72h | Offline environments, manual distribution |
| **Healthcare** | OCSP | Real-time | gematik requirements, QES |
| **Automotive** | CRL + OCSP | 1-6h | V2X fast response required |
| **Standard IT** | OCSP Stapling | Real-time | Performance optimized |
----
===== Quick Start Code =====
==== Create CRL ====
// Initialize CRL builder
var crlBuilder = ctx.CreateCrlBuilder(issuerCert, issuerKey);
// Add revoked certificates
crlBuilder.AddRevokedCertificate(
serialNumber: revokedCert.SerialNumber,
revocationDate: DateTimeOffset.UtcNow,
reason: RevocationReason.KeyCompromise
);
// Generate CRL
var crl = crlBuilder.Build(
thisUpdate: DateTimeOffset.UtcNow,
nextUpdate: DateTimeOffset.UtcNow.AddDays(7),
crlNumber: 42
);
File.WriteAllBytes("intermediate.crl", crl.ToDer());
==== Revoke Certificate ====
// Load certificate to revoke
var certToRevoke = ctx.LoadCertificate("compromised.crt.pem");
// Add to revocation DB
ctx.RevokeCertificate(
certificate: certToRevoke,
reason: RevocationReason.KeyCompromise,
invalidityDate: DateTimeOffset.UtcNow.AddHours(-2) // Compromised 2h ago
);
// Generate and distribute new CRL
var newCrl = ctx.GenerateCrl(issuerCert, issuerKey);
await PublishCrl(newCrl, "http://crl.example.com/intermediate.crl");
----
===== Related Categories =====
^ Category ^ Relationship ^
| [[.:pki:start|1. PKI Infrastructure]] | CRL Distribution Points in CA config |
| [[.:validierung:start|5. Validation]] | Revocation check during validation |
| [[.:verwaltung:start|4. Certificate Management]] | Rekey after revocation |
----
<< [[en:int:pqcrypt:szenarien:validierung:start|← 5. Validation]] | [[en:int:pqcrypt:szenarien:start|↑ Scenarios]] | [[.:verschluesselung:start|7. Encryption →]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>category revocation crl ocsp}}