6. Revocation

Scenarios: 4
FFI Functions: ~35
Status: ⏳ Planned

This category covers all scenarios for certificate revocation. CRL creation, OCSP responder setup, and Delta-CRL management.

Scenarios

ID	Scenario	Description	Complexity	Status
6.1	Create CRL	Generate Certificate Revocation List	⭐⭐⭐	⏳
6.2	OCSP Responder	Online Certificate Status Protocol	⭐⭐⭐⭐	⏳
6.3	Delta CRL	Incremental CRL updates	⭐⭐⭐⭐	⏳
6.4	Revoke Certificate	Revoke individual certificate	⭐⭐	⏳

Revocation Architecture

flowchart TB subgraph CA["🔐 Certificate Authority"] REVOKE[Revocation Request] DB[(Revocation DB)] CRL_GEN[CRL Generator] OCSP_SIGN[OCSP Signer] end subgraph DIST["📤 Distribution"] CDP[CRL Distribution Point] OCSP_SRV[OCSP Responder] end subgraph CLIENT["🖥️ Client"] VAL[Validator] end REVOKE --> DB DB --> CRL_GEN --> CDP DB --> OCSP_SIGN --> OCSP_SRV VAL --> |HTTP GET| CDP VAL --> |OCSP Request| OCSP_SRV style DB fill:#e3f2fd style CDP fill:#e8f5e9 style OCSP_SRV fill:#fff3e0

Revocation Reasons (RFC 5280)

Code	Reason	Description
0	unspecified	No reason specified
1	keyCompromise	Private key compromised
2	cACompromise	CA compromised
3	affiliationChanged	Organization changed
4	superseded	Replaced by new certificate
5	cessationOfOperation	Service discontinued
6	certificateHold	Temporarily suspended

CRL vs OCSP

Aspect	CRL	OCSP
Update	Periodic (hours/days)	Real-time
Size	Grows with revocations	Constant (~4 KB)
Offline	✅ Possible	❌ Server required
Privacy	✅ No requests visible	⚠️ Server sees requests
Standard	RFC 5280	RFC 6960

Industry-Specific Requirements

Industry	Method	Update Interval	Special Features
Energy/SCADA	CRL	24-72h	Offline environments, manual distribution
Healthcare	OCSP	Real-time	gematik requirements, QES
Automotive	CRL + OCSP	1-6h	V2X fast response required
Standard IT	OCSP Stapling	Real-time	Performance optimized

Quick Start Code

Create CRL

// Initialize CRL builder
var crlBuilder = ctx.CreateCrlBuilder(issuerCert, issuerKey);
 
// Add revoked certificates
crlBuilder.AddRevokedCertificate(
    serialNumber: revokedCert.SerialNumber,
    revocationDate: DateTimeOffset.UtcNow,
    reason: RevocationReason.KeyCompromise
);
 
// Generate CRL
var crl = crlBuilder.Build(
    thisUpdate: DateTimeOffset.UtcNow,
    nextUpdate: DateTimeOffset.UtcNow.AddDays(7),
    crlNumber: 42
);
 
File.WriteAllBytes("intermediate.crl", crl.ToDer());

Revoke Certificate

// Load certificate to revoke
var certToRevoke = ctx.LoadCertificate("compromised.crt.pem");
 
// Add to revocation DB
ctx.RevokeCertificate(
    certificate: certToRevoke,
    reason: RevocationReason.KeyCompromise,
    invalidityDate: DateTimeOffset.UtcNow.AddHours(-2)  // Compromised 2h ago
);
 
// Generate and distribute new CRL
var newCrl = ctx.GenerateCrl(issuerCert, issuerKey);
await PublishCrl(newCrl, "http://crl.example.com/intermediate.crl");

Related Categories

Category	Relationship
1. PKI Infrastructure	CRL Distribution Points in CA config
5. Validation	Revocation check during validation
4. Certificate Management	Rekey after revocation

« ← 5. Validation | ↑ Scenarios | 7. Encryption → »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

category, revocation, crl, ocsp