Scenarij 6.1: Ustvarjanje CRL
Kategorija: Preklic (Revocation)
Kompleksnost: Srednja
Predpogoji: Certifikat in ključ CA
Ocenjeni čas: 15-20 minut
Opis
Ta scenarij opisuje ustvarjanje seznama preklicanih certifikatov (CRL) po RFC 5280. CRL so podpisani seznami preklicanih certifikatov, ki jih objavljajo CA.
Polja CRL:
- issuer - DN izdajateljske CA
- thisUpdate - Čas izdaje
- nextUpdate - Naslednja načrtovana posodobitev
- revokedCertificates - Seznam preklicanih serijskih številk
- signature - Podpis CA
Potek dela
flowchart LR
REV[Preklicani certifikati] --> BUILD[CRL Builder]
BUILD --> SIGN[Podpis s CA]
SIGN --> PUBLISH[Objava]
PUBLISH --> CDP[Posodobitev CDP URL]
style SIGN fill:#e8f5e9
Primer kode (C#)
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; using System.Security.Cryptography.X509Certificates; using var ctx = PqCryptoContext.Initialize(); // Nalaganje CA var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem"); var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!"); // Ustvarjanje CRL Builder var crlBuilder = new CertificateRevocationListBuilder(); // Dodajanje preklicanih certifikatov crlBuilder.AddEntry( serialNumber: new byte[] { 0x01, 0x02, 0x03 }, revocationTime: new DateTimeOffset(2024, 6, 15, 10, 30, 0, TimeSpan.Zero), reason: X509RevocationReason.KeyCompromise ); crlBuilder.AddEntry( serialNumber: new byte[] { 0x01, 0x02, 0x04 }, revocationTime: DateTimeOffset.UtcNow.AddDays(-7), reason: X509RevocationReason.CessationOfOperation ); // Generiranje CRL byte[] crlBytes = crlBuilder.Build( issuerCertificate: caCert, crlNumber: BigInteger.Parse("1000"), nextUpdate: DateTimeOffset.UtcNow.AddDays(7), hashAlgorithm: HashAlgorithmName.SHA256, rsaSignaturePadding: null, // Za PQ ni relevantno mode: CryptoMode.Hybrid ); // Shranjevanje CRL File.WriteAllBytes("intermediate-ca.crl", crlBytes); // Pretvorba CRL v PEM var crlPem = ctx.ToPem(crlBytes, "X509 CRL"); File.WriteAllText("intermediate-ca.crl.pem", crlPem); Console.WriteLine("CRL ustvarjen:"); Console.WriteLine($" Vnosi: {crlBuilder.Entries.Count}"); Console.WriteLine($" CRL Number: 1000"); Console.WriteLine($" Next Update: {DateTimeOffset.UtcNow.AddDays(7):yyyy-MM-dd}");
Posodabljanje CRL iz obstoječega CRL
public class CrlUpdater { public byte[] UpdateCrl( byte[] existingCrl, X509Certificate2 caCert, AsymmetricAlgorithm caKey, IEnumerable<CrlEntry>? newEntries = null) { using var ctx = PqCryptoContext.Initialize(); // Razčlenjevanje obstoječega CRL var parsedCrl = ctx.ParseCrl(existingCrl); // Nov Builder z obstoječimi vnosi var builder = new CertificateRevocationListBuilder(); foreach (var entry in parsedCrl.Entries) { builder.AddEntry(entry.SerialNumber, entry.RevocationTime, entry.Reason); } // Dodajanje novih vnosov if (newEntries != null) { foreach (var entry in newEntries) { builder.AddEntry(entry.SerialNumber, entry.RevocationTime, entry.Reason); } } // Nova CRL-številka (povečana) var newCrlNumber = parsedCrl.CrlNumber + 1; // Ustvarjanje novega CRL return builder.Build( issuerCertificate: caCert, crlNumber: newCrlNumber, nextUpdate: DateTimeOffset.UtcNow.AddDays(7), hashAlgorithm: HashAlgorithmName.SHA256, mode: CryptoMode.Hybrid ); } }
CRL Extensions
// CRL z razširitvami var crlBuilder = new CertificateRevocationListBuilder(); // CRL Extensions crlBuilder.AddExtension( oid: "2.5.29.20", // CRL Number critical: false, value: BuildCrlNumberExtension(1001) ); crlBuilder.AddExtension( oid: "2.5.29.35", // Authority Key Identifier critical: false, value: BuildAkiExtension(caCert) ); crlBuilder.AddExtension( oid: "2.5.29.28", // Issuing Distribution Point critical: true, value: BuildIdpExtension( distributionPoint: "http://crl.example.com/intermediate.crl", onlyContainUserCerts: true ) ); // Entry Extensions (za vsak preklicanem certifikat) crlBuilder.AddEntry( serialNumber: revokedSerial, revocationTime: DateTimeOffset.UtcNow, reason: X509RevocationReason.KeyCompromise, extensions: new X509ExtensionCollection { // Invalidity Date (kdaj je bil dejansko ogrožen) BuildInvalidityDateExtension(compromiseDate), // Certificate Issuer (če je Indirect CRL) BuildCertificateIssuerExtension(certIssuerDn) } );
Razlogi za preklic (RFC 5280)
| Koda | Razlog | Opis |
|---|---|---|
| 0 | unspecified | Brez specifičnega razloga |
| 1 | keyCompromise | Ključ ogrožen |
| 2 | cACompromise | CA ogrožena |
| 3 | affiliationChanged | Pripadnost spremenjena |
| 4 | superseded | Zamenjano z novim certifikatom |
| 5 | cessationOfOperation | Delovanje ustavljeno |
| 6 | certificateHold | Začasno blokirano |
| 8 | removeFromCRL | Odstranitev iz CRL (odprava blokade) |
| 9 | privilegeWithdrawn | Pooblastilo odvzeto |
| 10 | aACompromise | Atributna agencija ogrožena |
Konfiguracija CRL Distribution Point
// Izdaja certifikata s CDP var cert = ctx.IssueCertificate( csr, issuerCert: caCert, issuerKey: caKey, extensions: new ExtBuilder() .CrlDistributionPoint( uri: "http://crl.example.com/intermediate.crl", ldapUri: "ldap://ldap.example.com/cn=Intermediate-CA,o=Example,c=DE?certificateRevocationList" ) .Build() );
Panožne zahteve za CRL
| Panoga | Maks. nextUpdate | Format | Distribucija |
|---|---|---|---|
| WebPKI | 7 dni | DER | HTTP |
| Enterprise | 24 ur | DER/PEM | HTTP, LDAP |
| Energetika/SCADA | 30 dni | DER | Brez povezave |
| Zdravstvo | 24 ur | DER | HTTP |
Najboljša praksa: Posodobite CRL pred nextUpdate (50-75% obdobja veljavnosti).
Povezani scenariji
| Povezava | Scenarij | Opis |
|---|---|---|
| Alternativa | 6.2 OCSP strežnik | Sprotno preverjanje |
| Razširitev | 6.3 Delta-CRL | Inkrementalne posodobitve |
| Predpogoj | 6.4 Preklic certifikata | Postopek preklica |
« ← Pregled preklica | ↑ Scenariji | 6.2 OCSP strežnik → »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: dne 30.01.2026 ob 07:48
