Scenarij 6.1: Kreiranje CRL-a
Kategorija: Opoziv (Revocation)
Složenost: ⭐⭐⭐ (Srednja)
Preduvjeti: CA certifikat i ključ
Procijenjeno vrijeme: 15-20 minuta
Opis
Ovaj scenarij opisuje kreiranje Certificate Revocation List (CRL) prema RFC 5280. CRL-ovi su potpisane liste opozvanih certifikata koje CA objavljuje.
Polja CRL-a:
- issuer - DN CA koji izdaje
- thisUpdate - Vrijeme izdavanja
- nextUpdate - Sljedeće planirano ažuriranje
- revokedCertificates - Lista opozvanih serijskih brojeva
- signature - CA potpis
Tijek rada
flowchart LR
REV[Opozvani certifikati] --> BUILD[CRL Builder]
BUILD --> SIGN[Potpisivanje s CA]
SIGN --> PUBLISH[Objavljivanje]
PUBLISH --> CDP[Ažuriranje CDP URL-a]
style SIGN fill:#e8f5e9
Primjer koda (C#)
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; using System.Security.Cryptography.X509Certificates; using var ctx = PqCryptoContext.Initialize(); // Učitavanje CA var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem"); var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!"); // Kreiranje CRL Buildera var crlBuilder = new CertificateRevocationListBuilder(); // Dodavanje opozvanih certifikata crlBuilder.AddEntry( serialNumber: new byte[] { 0x01, 0x02, 0x03 }, revocationTime: new DateTimeOffset(2024, 6, 15, 10, 30, 0, TimeSpan.Zero), reason: X509RevocationReason.KeyCompromise ); crlBuilder.AddEntry( serialNumber: new byte[] { 0x01, 0x02, 0x04 }, revocationTime: DateTimeOffset.UtcNow.AddDays(-7), reason: X509RevocationReason.CessationOfOperation ); // Generiranje CRL-a byte[] crlBytes = crlBuilder.Build( issuerCertificate: caCert, crlNumber: BigInteger.Parse("1000"), nextUpdate: DateTimeOffset.UtcNow.AddDays(7), hashAlgorithm: HashAlgorithmName.SHA256, rsaSignaturePadding: null, // Za PQ nije relevantno mode: CryptoMode.Hybrid ); // Spremanje CRL-a File.WriteAllBytes("intermediate-ca.crl", crlBytes); // Konverzija CRL-a u PEM var crlPem = ctx.ToPem(crlBytes, "X509 CRL"); File.WriteAllText("intermediate-ca.crl.pem", crlPem); Console.WriteLine("CRL kreiran:"); Console.WriteLine($" Unosi: {crlBuilder.Entries.Count}"); Console.WriteLine($" CRL Number: 1000"); Console.WriteLine($" Next Update: {DateTimeOffset.UtcNow.AddDays(7):yyyy-MM-dd}");
Ažuriranje CRL-a iz postojećeg CRL-a
public class CrlUpdater { public byte[] UpdateCrl( byte[] existingCrl, X509Certificate2 caCert, AsymmetricAlgorithm caKey, IEnumerable<CrlEntry>? newEntries = null) { using var ctx = PqCryptoContext.Initialize(); // Parsiranje postojećeg CRL-a var parsedCrl = ctx.ParseCrl(existingCrl); // Novi builder s postojećim unosima var builder = new CertificateRevocationListBuilder(); foreach (var entry in parsedCrl.Entries) { builder.AddEntry(entry.SerialNumber, entry.RevocationTime, entry.Reason); } // Dodavanje novih unosa if (newEntries != null) { foreach (var entry in newEntries) { builder.AddEntry(entry.SerialNumber, entry.RevocationTime, entry.Reason); } } // Nova CRL-Nummer (inkrementirana) var newCrlNumber = parsedCrl.CrlNumber + 1; // Kreiranje novog CRL-a return builder.Build( issuerCertificate: caCert, crlNumber: newCrlNumber, nextUpdate: DateTimeOffset.UtcNow.AddDays(7), hashAlgorithm: HashAlgorithmName.SHA256, mode: CryptoMode.Hybrid ); } }
CRL ekstenzije
// CRL s ekstenzijama var crlBuilder = new CertificateRevocationListBuilder(); // CRL ekstenzije crlBuilder.AddExtension( oid: "2.5.29.20", // CRL Number critical: false, value: BuildCrlNumberExtension(1001) ); crlBuilder.AddExtension( oid: "2.5.29.35", // Authority Key Identifier critical: false, value: BuildAkiExtension(caCert) ); crlBuilder.AddExtension( oid: "2.5.29.28", // Issuing Distribution Point critical: true, value: BuildIdpExtension( distributionPoint: "http://crl.example.com/intermediate.crl", onlyContainUserCerts: true ) ); // Ekstenzije unosa (po opozvanom certifikatu) crlBuilder.AddEntry( serialNumber: revokedSerial, revocationTime: DateTimeOffset.UtcNow, reason: X509RevocationReason.KeyCompromise, extensions: new X509ExtensionCollection { // Invalidity Date (kada je stvarno kompromitiran) BuildInvalidityDateExtension(compromiseDate), // Certificate Issuer (ako je Indirect CRL) BuildCertificateIssuerExtension(certIssuerDn) } );
Razlozi opoziva (RFC 5280)
| Kod | Razlog | Opis |
|---|---|---|
| 0 | unspecified | Bez specifičnog razloga |
| 1 | keyCompromise | Ključ kompromitiran |
| 2 | cACompromise | CA kompromitiran |
| 3 | affiliationChanged | Pripadnost promijenjena |
| 4 | superseded | Zamijenjen novim certifikatom |
| 5 | cessationOfOperation | Rad ukinut |
| 6 | certificateHold | Privremeno blokiran |
| 8 | removeFromCRL | Ukloniti iz CRL-a (ukinuti Hold) |
| 9 | privilegeWithdrawn | Ovlaštenje povučeno |
| 10 | aACompromise | Attribut-autoritet kompromitiran |
Konfiguracija CRL Distribution Pointa
// Izdavanje certifikata s CDP-om var cert = ctx.IssueCertificate( csr, issuerCert: caCert, issuerKey: caKey, extensions: new ExtBuilder() .CrlDistributionPoint( uri: "http://crl.example.com/intermediate.crl", ldapUri: "ldap://ldap.example.com/cn=Intermediate-CA,o=Example,c=DE?certificateRevocationList" ) .Build() );
Zahtjevi za CRL po industrijama
| Industrija | Maks. nextUpdate | Format | Distribucija |
|---|---|---|---|
| WebPKI | 7 dana | DER | HTTP |
| Enterprise | 24 sata | DER/PEM | HTTP, LDAP |
| Energetika/SCADA | 30 dana | DER | Offline |
| Zdravstvo | 24 sata | DER | HTTP |
Najbolja praksa: Ažurirati CRL prije nextUpdate (50-75% razdoblja valjanosti).
Povezani scenariji
| Odnos | Scenarij | Opis |
|---|---|---|
| Alternativa | 6.2 OCSP Responder | Online provjera |
| Proširenje | 6.3 Delta-CRL | Inkrementalna ažuriranja |
| Preduvjet | 6.4 Opoziv certifikata | Proces opoziva |
« ← Pregled opoziva | ↑ Scenariji | 6.2 OCSP Responder → »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: 30.01.2026. u 07:29
