Use Certificate Revocation List file with X509 in .Net

Question

Need to protect client-server communication. I was found a nice approach in .Net Core to generate X509 Certificates ( Self-Signed). But it's really lack of any information how to work with Certificate Revocation List in .Net Framework. Will be appreciate for answers to those questions :

• How to create CRL file with .Net ( Without BouncyCastle ) ? Can it be created as any text file and signed after? If yes, what is the format of columns?

• Is I'm right understanding that CRL file could be added to Certificate? As far as I know, a change of certificate brokes it.

• How to add Certificate to Certificate Revocation List?

Answer 1

The ability to create CRLs was added in .NET 7 in the form of the CertificateRevocationListBuilder class.

Assuming you already have a PKI infrastructure set up, updating a CRL looks like

CertificateRevocationListBuilder crlBuilder = CertificateRevocationListBuilder.Load(
    currentCrl,
    out BigInteger currentCrlNumber);

crlBuilder.AddEntry(certToRevoke);

BigInteger nextCrlNumber = currentCrlNumber + 1;

byte[] newCrl = builder.Build(
    caCertificate,
    nextCrlNumber,
    DateTimeOffset.UtcNow + caCrlUpdateInterval,
    HashAlgorithmName.SHA256,
    RSASignaturePadding.Pkcs1);

Is I'm right understanding that CRL file could be added to Certificate?

The certificate doesn't contain the CRL (otherwise it would basically be immune from revocation...), but if it supports being revoked by CRL it contains a CRL Distribution Point extension that says where the CRL is published. The CRL Builder class can help with this, but you have to do it at the time you built the original certificate, you can't add it after (because that would require re-signing the certificate, which makes it a new certificate).

X509Extension cdpExtension =
    CertificateRevocationListBuilder.BuildCrlDistributionPointExtension(
        new[]
        {
            "http://example.org/pki/exampleCA2023-shard2.crl",
            "ftp://example.org/pkifiles/crls/exampleCA2023-shard2.crl",
        });

Note that your CDP endpoint should be http, not https, as CRL retrieval systems usually won't follow https, otherwise they could end up in a circular dependency.

Answer 2

How to create CRL file with .Net ( Without BouncyCastle ) ?

you can't, .NET natevely don't ship any API to deal with X.509 CRL files. You have to use 3rd party libraries.

Can it be created as any text file and signed after?

No, it is not a text file.

If yes, what is the format of columns?

X.509 CRL uses Abstract Syntax Notation One (ASN.1) for internal representation and ASN.1 module is defined in RFC 5280 Appendix A.1 (page 118). Unfortunately, .NET doesn't provide tools to work with raw ASN.1 data (only for well-known and supported high-level types).

If you can't use 3rd party libraries, you will have to learn about ASN.1 (not easy stuff), write your own binary parser and create X.509 CRL decoder according to ASN.1 module definition. Here is an example of binary ASN.1 parser: Asn1Reader.cs, so you can imagine the complexity in writing your own reliable parser. And an example of X.509 CRL decoder: X509CRL2.cs. I would suggest to get something already working and use it.

How to add Certificate to Certificate Revocation List?

You will have to create X.509 CRL builder/generator by using ASN.1 encoder. CRL entry type is defined as follows:

 revokedCertificates     SEQUENCE OF SEQUENCE  {
      userCertificate         CertificateSerialNumber,
      revocationDate          Time,
      crlEntryExtensions      Extensions OPTIONAL
                               -- if present, version MUST be v2
                           }  OPTIONAL,

This barely makes any sense if you are not familiar with ASN.1, but reveals some useful things. For example, a CRL entry consist of certificate serial number (integer) and revocation date (UTCTime or GeneralizedTime). Optionally, there might be CRL entry extensions, like revocation reason (ENUMERATED).