3

I am trying to write a certificate managing application for an embedded system running on Linux using OpenSSL. I was able to implement certificate verification using my own certificate store. I am stuck at generating my own certificate revocation list and adding certificates to that certificate revoking list.

Here is how I verify certificates

do
{
    store=X509_STORE_new();
    if(NULL == store)
    {
        status = EOUTOFMEMORY;
        break;
    }
    X509_STORE_set_default_paths(store);

    vrfy_ctx = X509_STORE_CTX_new();

    X509_STORE_CTX_init(vrfy_ctx, store, certificate, NULL);

    *verifResult = X509_verify_cert(vrfy_ctx);

} while(0);

Can anyone please help me regarding creating a CRL file using C and adding certificates to it?

jww
  • 97,681
  • 90
  • 411
  • 885
thilinaur
  • 141
  • 6
  • You should probably check OpenSSL's reference code. You can find it in the source tarball, `/apps/crl.c`. You can also find it online at OpenSSL's GitHub at [Master | apps | crl.c](http://github.com/openssl/openssl/blob/master/apps/crl.c). There's no sense in providing an answer that's a copy/paste of the source file. – jww Nov 08 '16 at 06:40
  • sorry, I couldn't find on creating a new crl file there. It uses load_crl() function and loads the crl from file. Can you please show me the part which its implemented ? Thanks. – thilinaur Nov 08 '16 at 07:00
  • 1
    My bad... examine the source code for `ca.c`. That's the one that creates a CRL. The `crl.c` code only verifies an existing CRL. By the way, when you search for terms like ["openssl create crl"](http://www.google.com/search?q=openssl+how+to+create+a+crl) and it tells you to use `openssl ca ...`, then you go look at `apps/ca.c`. If you find an answer that says use `openssl verify ...`, then you look at the code in `apps/verify.c`. If you find an answer that says use `openssl x509 ...`, then you look at the code in `apps/x509.c`. Those are OpenSSL's reference implementations. – jww Nov 08 '16 at 07:13

0 Answers0