CryptoSys PKI Toolkit Manual

X509_MakeCRL

Creates an X.509 Certificate Revocation List (CRL).

VB6/VBA Syntax

Public Declare Function X509_MakeCRL Lib "diCrPKI.dll" (ByVal strCrlFile As String, ByVal strIssuerCert As String, ByVal strIssuerKeyFile As String, ByVal strPassword As String, ByVal strRevokedCertList As String, ByVal strExtensions As String, ByVal nOptions As Long) As Long

nRet = X509_MakeCRL(strCrlFile, strIssuerCert, strIssuerKeyFile, strPassword, strRevokedCertList, strExtensions, nOptions)

Parameters

strCrlFile
[in] String with name of new CRL file to be created.
strIssuerCert
[in] String with name of issuer's X.509 certificate file (or base64 representation).
strIssuerKeyFile
[in] String with name of issuer's encrypted private key file.
strPassword
[in] String containing password for issuer's encrypted private key file.
strRevokedCertList
[in] String with list of revoked certificates in format serialNumber,revocationDate; ... or the empty string "" for no revoked certificates. See the Remarks section below for more details.
strExtensions
[in] String (optional) containing one or more attribute-values pairs separated by semicolons (;). Valid attribute-value pairs are:
nOptions
[in] Long Option flags. Choose one signature algorithm from:
PKI_SIG_SHA1RSA (0) to use sha1WithRSAEncryption (default)
PKI_SIG_MD5RSA to use md5WithRSAEncryption (not recommended)
PKI_SIG_MD2RSA to use md2WithRSAEncryption (definitely not recommended)
PKI_SIG_SHA224RSA to use sha224WithRSAEncryption
PKI_SIG_SHA256RSA to use sha256WithRSAEncryption
PKI_SIG_SHA384RSA to use sha384WithRSAEncryption
PKI_SIG_SHA512RSA to use sha512WithRSAEncryption
And add any combination of these:-
PKI_X509_FORMAT_PEM to save the file in PEM format (default = DER-encoded binary)

C/C++ Syntax

long _stdcall X509_MakeCRL(const char *szCrlFile, const char *szIssuerCert, const char *szIssuerKeyFile, const char *szPassword, const char *szRevokedCertList, const char *szExtensions, long nOptions);

Returns (VB6/C)

Long: If successful, the return value is zero; otherwise it returns a nonzero error code.

.NET Equivalent

X509.MakeCRL Method

Remarks

This creates a version 1 CRL file with no extensions or cRLReason's. The parameter strRevokedCertList must be in the form 

serialNumber,revocationDate;serialNumber,revocationDate; ...

The serialNumber must either be a positive decimal number (e.g. 123) or the number in hex format preceded by #x (e.g. #x0102deadbeef). The revocation date must be in ISO date format (e.g. 2009-12-31T12:59:59Z).

By default, the lastUpdate time in the CRL is set to the time given by the system clock, and nextUpdate time is left empty. You can specify your own times using the lastUpdate and nextUpdate attributes in the strExtensions parameter. Times, if specified, must be in ISO 8601 format and are always interpreted as GMT times whether or not you add a "Z".

Example

Dim nRet As Long
Dim strCrlFile As String
Dim strIssuerFile As String
Dim strKeyFile As String
Dim strPassword As String
Dim strCertList As String
Dim strExtension As String
' Create a new CRL dated with the current system time
strCrlFile = "CarlsNew.crl"
strIssuerFile = "CarlRSASelf.cer"
strKeyFile = "CarlPrivRSASign.epk"
' CAUTION: DO NOT HARD-CODE REAL PASSWORDS!
strPassword = "password"
strCertList = "1,2007-12-31; 2, 2009-12-31T12:59:59Z; 66000,2066-01-01; #x0102deadbeef,2010-02-28T01:01:59"
nRet = X509_MakeCRL(strCrlFile, strIssuerFile, strKeyFile, strPassword, strCertList, "", 0)
Debug.Print "X509_MakeCRL returns " & nRet & " (expected 0)"
If (nRet = 0) Then
  Debug.Print "SUCCESS: New CRL file '" & strCrlFile & "' created."
Else
  Debug.Print "ERROR: " & pkiErrorLookup(nRet) & ": " & pkiGetLastError()
End If
' Create another CRL using specified times (NB these are GMT times, not local)
strExtension = "thisUpdate=2010-04-01T12:00;nextUpdate=2010-05-01"
strCrlFile = "Carl_20100401.crl"
nRet = X509_MakeCRL(strCrlFile, strIssuerFile, strKeyFile, strPassword, strCertList, strExtension, 0)
Debug.Print "X509_MakeCRL returns " & nRet & " (expected 0)"
If (nRet = 0) Then
  Debug.Print "SUCCESS: New CRL file '" & strCrlFile & "' created."
Else
  Debug.Print "ERROR: " & pkiErrorLookup(nRet) & ": " & pkiGetLastError()
End If

The latter instruction should produce a CRL of the following form: 

>certmgr -crl -v Carl_20100401.crl
==============CRL # 1 ==========
Issuer::
  [0,0] 2.5.4.3 (CN) ValueType: 4
     43 61 72 6C 52 53 41                               'CarlRSA'
ThisUpdate::
  Thu Apr 01 20:00:00 2010
NextUpdate::
  Sat May 01 08:00:00 2010
SHA1 Thumbprint::
      BAE05E5B E4F5E7A7 82F487CC 60F7BC31 0A643538
MD5 Thumbprint::
      20E8251E 7959BE61 41441901 60DB7FBA
Version:: 0
SignatureAlgorithm:: 1.2.840.113549.1.1.5
SignatureAlgorithm.Parameters::
     05 00                                              '..'
-----  Entries  -----
 [0] SerialNumber:: 01
 [0] RevocationDate:: Mon Dec 31 08:00:00 2007
 [0] Extensions:: NONE
 [1] SerialNumber:: 02
 [1] RevocationDate:: Thu Dec 31 20:59:59 2009
 [1] Extensions:: NONE
 [2] SerialNumber:: 01 01 D0
 [2] RevocationDate:: Fri Jan 01 08:00:00 2066
 [2] Extensions:: NONE
 [3] SerialNumber:: 01 02 DE AD BE EF
 [3] RevocationDate:: Sun Feb 28 09:01:59 2010
 [3] Extensions:: NONE
==============================================
CertMgr Succeeded

Note that the times given by CERTMGR are local, not GMT, and the output above is from a computer in a timezone 8 hours ahead of GMT. Different times will be shown in different timezones.

See Also

X509_CheckCertInCRL

[Contents] [Index]

[HOME]   [NEXT: X509_QueryCert...]
Copyright © 2004-10 D.I. Management Services Pty Ltd. All rights reserved.