Friday, August 5, 2011

Revoking a certificate and generating Certificate Revocation List.

Before we see the commands to revoke certificate and to generate CRL, we will try to understand what is the meaning of revoking a certificate and what is the use of CRL.

Revocation of certificate does not mean to invalidate the certificate. The certificate remains still valid even after the certificate has been revoked and user can still use the certificate.
Revocation means that the certificate is no more trustworthy. Whenever the "Certificate Authority" comes to know that the certificate’s private key has been compromised and its not safe to use the certificate anymore, the CA revokes the certificate and generates the CRL (Certificate Revocation List) and publishes the CRL on their website. So that the user’s of the certificate can see the revoked certificate and its advised not to use that certificate anymore. Since the CA does not know who all are using the certificate they issued to authenticate a particular user, the CRL is only best available solution to inform all the users that the certificate is no more trustworthy.

To revoke a certificate use the below OpenSSL command-

openssl ca -config openssl.cnf -revoke Certificates/CertificateToRevoke.cer -keyfile Keys/RootCA.key -cert Certificates/RootCA.cer

To generate a certificate revocation list use the below command-

openssl ca -config openssl.conf -gencrl -out Certificates/CA.crl -keyfile Keys/RootCA.key –cert Certificates /RootCA.cer

That's all we need to revoke a certificate. Please provide comments and suggestions to improve the post.