CRL Support

People have been requesting the ability for CFSSL to be able to create a CRL file given a set of IDs (https://github.com/cloudflare/cfssl/issues/43).

This feature would be analogous to the OCSP signer, taking as input the parameters to fill the "to-be-signed" certificate revocation list and outputing a CRL signed by the signer's private key.

Here are the structures from https://golang.org/pkg/crypto/x509/pkix:
type RevokedCertificate struct {
        SerialNumber   *big.Int
        RevocationTime time.Time
        Extensions     []Extension `asn1:"optional"`
}

type TBSCertificateList struct {
        Raw                 asn1.RawContent
        Version             int `asn1:"optional,default:1"`
        Signature           AlgorithmIdentifier
        Issuer              RDNSequence
        ThisUpdate          time.Time
        NextUpdate          time.Time            `asn1:"optional"`
        RevokedCertificates []RevokedCertificate `asn1:"optional"`
        Extensions          []Extension          `asn1:"tag:0,optional,explicit"`
}

This feature should have support for:

CLI and API
Both PKCS11 and file-backed keys

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CRL Support

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally