X509_MakeCRL

Creates an X.509 Certificate Revocation List (CRL).

VBA/VB6 Syntax

nRet = X509_MakeCRL(strCrlFile, strIssuerCert, strIssuerKeyFile, strPassword, strRevokedCertList, strExtensions, nOptions)

C/C++ Syntax

Parameters

szCrlFile

[in] with name of new CRL file to be created.

szIssuerCert

[in] with name of issuer's X.509 certificate file (or base64 representation).

szIssuerKeyFile

[in] with name of issuer's encrypted private key file.

szPassword

[in] containing password for issuer's encrypted private key file.

szRevokedCertList

[in] with list of revoked certificates in format serialNumber,revocationDate; ... or the empty string "" for no revoked certificates. See the Remarks section below for more details.

szExtensions

[in] (optional) containing one or more attribute-value pairs separated by semicolons (;). Valid attribute-value pairs are:

• thisUpdate=<iso-date-string>
• nextUpdate=<iso-date-string>

nOptions

[in] Option flags. Choose one signature algorithm from:
PKI_SIG_SHA1RSA (0) to use sha1WithRSAEncryption (default - CAUTION)
PKI_SIG_SHA224RSA to use sha224WithRSAEncryption
PKI_SIG_SHA256RSA to use sha256WithRSAEncryption [minimum recommended]
PKI_SIG_SHA384RSA to use sha384WithRSAEncryption
PKI_SIG_SHA512RSA to use sha512WithRSAEncryption
PKI_SIG_MD5RSA to use md5WithRSAEncryption [legacy, not recommended]
PKI_SIG_MD2RSA to use md2WithRSAEncryption [legacy, definitely not recommended]
PKI_SIG_RSA_PSS_SHA1 to use RSA-PSS-SHA1
PKI_SIG_RSA_PSS_SHA224 to use RSA-PSS-SHA224
PKI_SIG_RSA_PSS_SHA256 to use RSA-PSS-SHA256
PKI_SIG_RSA_PSS_SHA384 to use RSA-PSS-SHA384
PKI_SIG_RSA_PSS_SHA512 to use RSA-PSS-SHA512
PKI_SIG_ECDSA_SHA1 to use ecdsaWithSHA1
PKI_SIG_ECDSA_SHA224 to use ecdsaWithSHA224
PKI_SIG_ECDSA_SHA256 to use ecdsaWithSHA256
PKI_SIG_ECDSA_SHA384 to use ecdsaWithSHA384
PKI_SIG_ECDSA_SHA512 to use ecdsaWithSHA512
PKI_SIG_ED25519 to use Ed25519 [New in v20.0]
PKI_SIG_ED448 to use Ed448 [New in v22.0]

And add any combination of these:-
PKI_X509_FORMAT_PEM to save the certificate in PEM format (default = DER-encoded binary)

Specialist options:-
PKI_PSS_SALTLEN_ZERO to use a zero-length salt in an RSA-PSS signature.
PKI_SIG_DETERMINISTIC to use the deterministic digital signature generation procedure of [RFC6979] for an ECDSA signature.

Returns (VBA/C)

If successful, the return value is zero; otherwise it returns a nonzero error code.

.NET Equivalent

X509.MakeCRL Method

C++ (STL) Equivalent

Python Equivalent

Remarks

This function creates a version 1 CRL file with no extensions or cRLReason's. The parameter szRevokedCertList must be in the form

serialNumber,revocationDate;serialNumber,revocationDate; ...

The serialNumber must either be a positive decimal number (e.g. 123) or the number in hex format preceded by "#x" (e.g. "#x0102deadbeef"). The revocation date must be in ISO date format (e.g. 2009-12-31 or 2009-12-31T12:59:59Z).

By default, the lastUpdate time in the CRL is set to the time given by the system clock, and nextUpdate time is left empty. You can specify your own times using the lastUpdate and nextUpdate attributes in the szExtensions parameter. Times, if specified, must be in ISO 8601 format and are always interpreted as GMT times whether or not you add a "Z".

Example

Dim nRet As Long
Dim strCrlFile As String
Dim strIssuerFile As String
Dim strKeyFile As String
Dim strPassword As String
Dim strCertList As String
Dim strExtension As String
' Create a new CRL dated with the current system time
strCrlFile = "CarlsNew.crl"
strIssuerFile = "CarlRSASelf.cer"
strKeyFile = "CarlPrivRSASign.p8e"
' CAUTION: DO NOT HARD-CODE REAL PASSWORDS!
strPassword = "password"
strCertList = "1,2007-12-31; 2, 2009-12-31T12:59:59Z; 66000,2066-01-01; #x0102deadbeef,2010-02-28T01:01:59"
nRet = X509_MakeCRL(strCrlFile, strIssuerFile, strKeyFile, strPassword, strCertList, "", 0)
Debug.Print "X509_MakeCRL returns " & nRet & " (expected 0)"
If (nRet = 0) Then
  Debug.Print "SUCCESS: New CRL file '" & strCrlFile & "' created."
Else
  Debug.Print "ERROR: " & pkiErrorLookup(nRet) & ": " & pkiGetLastError()
End If
' Create another CRL using specified times (NB these are GMT times, not local)
strExtension = "thisUpdate=2010-04-01T12:00;nextUpdate=2010-05-01"
strCrlFile = "Carl_20100401.crl"
nRet = X509_MakeCRL(strCrlFile, strIssuerFile, strKeyFile, strPassword, strCertList, strExtension, 0)
Debug.Print "X509_MakeCRL returns " & nRet & " (expected 0)"
If (nRet = 0) Then
  Debug.Print "SUCCESS: New CRL file '" & strCrlFile & "' created."
Else
  Debug.Print "ERROR: " & pkiErrorLookup(nRet) & ": " & pkiGetLastError()
End If

The latter instruction should produce a CRL of the following form:

>certmgr -crl -v Carl_20100401.crl
==============CRL # 1 ==========
Issuer::
  [0,0] 2.5.4.3 (CN) ValueType: 4
     43 61 72 6C 52 53 41                               'CarlRSA'
ThisUpdate::
  Thu Apr 01 20:00:00 2010
NextUpdate::
  Sat May 01 08:00:00 2010
SHA1 Thumbprint::
      BAE05E5B E4F5E7A7 82F487CC 60F7BC31 0A643538
MD5 Thumbprint::
      20E8251E 7959BE61 41441901 60DB7FBA
Version:: 0
SignatureAlgorithm:: 1.2.840.113549.1.1.5
SignatureAlgorithm.Parameters::
     05 00                                              '..'
-----  Entries  -----
 [0] SerialNumber:: 01
 [0] RevocationDate:: Mon Dec 31 08:00:00 2007
 [0] Extensions:: NONE
 [1] SerialNumber:: 02
 [1] RevocationDate:: Thu Dec 31 20:59:59 2009
 [1] Extensions:: NONE
 [2] SerialNumber:: 01 01 D0
 [2] RevocationDate:: Fri Jan 01 08:00:00 2066
 [2] Extensions:: NONE
 [3] SerialNumber:: 01 02 DE AD BE EF
 [3] RevocationDate:: Sun Feb 28 09:01:59 2010
 [3] Extensions:: NONE
==============================================
CertMgr Succeeded

Note that the times given by CERTMGR are local, not GMT, and the output above is from a computer in a timezone 8 hours ahead of GMT. Different times will be shown in different timezones.

See Also

X509_CheckCertInCRL

[Contents] [Index]