6. Revocation
Scenarios: 4
FFI Functions: ~35
Status: ⏳ Planned
This category covers all scenarios for certificate revocation. CRL creation, OCSP responder setup, and Delta-CRL management.
Scenarios
| ID | Scenario | Description | Complexity | Status |
|---|---|---|---|---|
| 6.1 | Create CRL | Generate Certificate Revocation List | ⭐⭐⭐ | ⏳ |
| 6.2 | OCSP Responder | Online Certificate Status Protocol | ⭐⭐⭐⭐ | ⏳ |
| 6.3 | Delta CRL | Incremental CRL updates | ⭐⭐⭐⭐ | ⏳ |
| 6.4 | Revoke Certificate | Revoke individual certificate | ⭐⭐ | ⏳ |
Revocation Architecture
flowchart TB
subgraph CA["🔐 Certificate Authority"]
REVOKE[Revocation Request]
DB[(Revocation DB)]
CRL_GEN[CRL Generator]
OCSP_SIGN[OCSP Signer]
end
subgraph DIST["📤 Distribution"]
CDP[CRL Distribution Point]
OCSP_SRV[OCSP Responder]
end
subgraph CLIENT["🖥️ Client"]
VAL[Validator]
end
REVOKE --> DB
DB --> CRL_GEN --> CDP
DB --> OCSP_SIGN --> OCSP_SRV
VAL --> |HTTP GET| CDP
VAL --> |OCSP Request| OCSP_SRV
style DB fill:#e3f2fd
style CDP fill:#e8f5e9
style OCSP_SRV fill:#fff3e0
Revocation Reasons (RFC 5280)
| Code | Reason | Description |
|---|---|---|
| 0 | unspecified | No reason specified |
| 1 | keyCompromise | Private key compromised |
| 2 | cACompromise | CA compromised |
| 3 | affiliationChanged | Organization changed |
| 4 | superseded | Replaced by new certificate |
| 5 | cessationOfOperation | Service discontinued |
| 6 | certificateHold | Temporarily suspended |
CRL vs OCSP
| Aspect | CRL | OCSP |
|---|---|---|
| Update | Periodic (hours/days) | Real-time |
| Size | Grows with revocations | Constant (~4 KB) |
| Offline | ✅ Possible | ❌ Server required |
| Privacy | ✅ No requests visible | ⚠️ Server sees requests |
| Standard | RFC 5280 | RFC 6960 |
Industry-Specific Requirements
| Industry | Method | Update Interval | Special Features |
|---|---|---|---|
| Energy/SCADA | CRL | 24-72h | Offline environments, manual distribution |
| Healthcare | OCSP | Real-time | gematik requirements, QES |
| Automotive | CRL + OCSP | 1-6h | V2X fast response required |
| Standard IT | OCSP Stapling | Real-time | Performance optimized |
Quick Start Code
Create CRL
// Initialize CRL builder var crlBuilder = ctx.CreateCrlBuilder(issuerCert, issuerKey); // Add revoked certificates crlBuilder.AddRevokedCertificate( serialNumber: revokedCert.SerialNumber, revocationDate: DateTimeOffset.UtcNow, reason: RevocationReason.KeyCompromise ); // Generate CRL var crl = crlBuilder.Build( thisUpdate: DateTimeOffset.UtcNow, nextUpdate: DateTimeOffset.UtcNow.AddDays(7), crlNumber: 42 ); File.WriteAllBytes("intermediate.crl", crl.ToDer());
Revoke Certificate
// Load certificate to revoke var certToRevoke = ctx.LoadCertificate("compromised.crt.pem"); // Add to revocation DB ctx.RevokeCertificate( certificate: certToRevoke, reason: RevocationReason.KeyCompromise, invalidityDate: DateTimeOffset.UtcNow.AddHours(-2) // Compromised 2h ago ); // Generate and distribute new CRL var newCrl = ctx.GenerateCrl(issuerCert, issuerKey); await PublishCrl(newCrl, "http://crl.example.com/intermediate.crl");
Related Categories
| Category | Relationship |
|---|---|
| 1. PKI Infrastructure | CRL Distribution Points in CA config |
| 5. Validation | Revocation check during validation |
| 4. Certificate Management | Rekey after revocation |
« ← 5. Validation | ↑ Scenarios | 7. Encryption → »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/30 at 06:55 AM
