-
Notifications
You must be signed in to change notification settings - Fork 1.1k
CRL Support
wl2002 edited this page Oct 9, 2015
·
3 revisions
People have been requesting the ability for CFSSL to be able to create a CRL file given a set of IDs (https://github.com/cloudflare/cfssl/issues/43).
This feature would be analogous to the OCSP signer, taking as input the parameters to fill the "to-be-signed" certificate revocation list and outputing a CRL signed by the signer's private key.
Here are the structures from https://golang.org/pkg/crypto/x509/pkix:
type RevokedCertificate struct {
SerialNumber *big.Int
RevocationTime time.Time
Extensions []Extension `asn1:"optional"`
}
type TBSCertificateList struct {
Raw asn1.RawContent
Version int `asn1:"optional,default:1"`
Signature AlgorithmIdentifier
Issuer RDNSequence
ThisUpdate time.Time
NextUpdate time.Time `asn1:"optional"`
RevokedCertificates []RevokedCertificate `asn1:"optional"`
Extensions []Extension `asn1:"tag:0,optional,explicit"`
}
This feature should have support for:
- CLI and API
- Both PKCS11 and file-backed keys