.netx509certificate2.net-core-2.0

Use Certificate Revocation List file with X509 in .Net


Need to protect client-server communication. I was found a nice approach in .Net Core to generate X509 Certificates ( Self-Signed). But it's really lack of any information how to work with Certificate Revocation List in .Net Framework. Will be appreciate for answers to those questions :


Solution

  • How to create CRL file with .Net ( Without BouncyCastle ) ?

    you can't, .NET natevely don't ship any API to deal with X.509 CRL files. You have to use 3rd party libraries.

    Can it be created as any text file and signed after?

    No, it is not a text file.

    If yes, what is the format of columns?

    X.509 CRL uses Abstract Syntax Notation One (ASN.1) for internal representation and ASN.1 module is defined in RFC 5280 Appendix A.1 (page 118). Unfortunately, .NET doesn't provide tools to work with raw ASN.1 data (only for well-known and supported high-level types).

    If you can't use 3rd party libraries, you will have to learn about ASN.1 (not easy stuff), write your own binary parser and create X.509 CRL decoder according to ASN.1 module definition. Here is an example of binary ASN.1 parser: Asn1Reader.cs, so you can imagine the complexity in writing your own reliable parser. And an example of X.509 CRL decoder: X509CRL2.cs. I would suggest to get something already working and use it.

    How to add Certificate to Certificate Revocation List?

    You will have to create X.509 CRL builder/generator by using ASN.1 encoder. CRL entry type is defined as follows:

     revokedCertificates     SEQUENCE OF SEQUENCE  {
          userCertificate         CertificateSerialNumber,
          revocationDate          Time,
          crlEntryExtensions      Extensions OPTIONAL
                                   -- if present, version MUST be v2
                               }  OPTIONAL,
    

    This barely makes any sense if you are not familiar with ASN.1, but reveals some useful things. For example, a CRL entry consist of certificate serial number (integer) and revocation date (UTCTime or GeneralizedTime). Optionally, there might be CRL entry extensions, like revocation reason (ENUMERATED).