security - How do I add a CRL address to a self-signed CA certificate? -


This is an extension question:

To escalate it, If I have created a CA certificate, and have created a set of SPC certs, how do I go about creating and distributing cancellation lists? (Note: I do not know how the CRL works, how it is distributed etc.) If I think how all this works, then I expected the CA certificate to define some HTTP addresses Where the CRL can be downloaded, and windows can contact it for the first time a certificate was inquired, and every time the current CRL expired ... then I Must, he made out a signed web which distributes certificate serial number ...?

Edit: Answer to yourself

For anyone interested, the booming castle is a Java + C # library, in which PKI crypto There is a huge set of APIs, including certificate generation.

How their sample code (in their downloads) prepares an aligned set of CA, intermediate, and 'personal' certificates.

It does not show that it is an HTTP based CRL - you can do this with this code:

  Common name gn = new generic name (new Daria 5 string ( "Http: //localhost/revocationlist.crl"), 6); Common Name GNS = New GenName (GN); DistributionPointName DPN = New DistributionpointName (GNS); Distributionpoint distp = new distribution point (DPN, blank, empty); Dersuevance SAC = New Dresse (Dispatches); V3CertGen.AddExtension (X509Extensions.Crl distribution fraction, incorrect, CEC); Suppose you have a CA certificate and some set of certificates, which are signed by that CA certificate. . You can then create a CRL, which is (potentially) the ID of the canceled certificates, which were previously signed using CA certificates. In fact, you add the URL of the CRL to the CA certificate through the respective Certificate Extension (CRL Distribution Distribution).  

As you have not specified, what tools or libraries do you use to generate a certificate, I can not say how the extension can be added.

PS: I would recommend that you learn about technology about using it. Especially when it comes to implementing security otherwise you will end up in the situation, it is worse than the commodo whose sub-agents recently issued fake certificates for Google, Yahoo and more.

Comments