This week, I made one more step of progress by implementing the Certificate Revocation List (CRL). The CRL holds a list of certificates that had to be revoked before their expiry date for a particular reason. In our case, that reason would be to handle the case where the customers can make early renewals for their subscription. But because they are already holding a valid certificate from their last payment date, we would need to revoke that certificate and supply them a new valid certificate for their current subscription term.
To get their old valid certificate, we would send them an email containing a link to download their new certificate, but that link actually points to a REST endpoint where if their old valid certificate is provided, then we could revoke it and immediately redirect them to download. By revoking it, the serial number of that certificate as well as the revocation date gets added to the CRL. Since the certificate is used to authenticate users in our applications, those applications would need to get a copy of that CRL, so that a check could be done to determine if the certificate provided has already been revoked. Hence, a REST endpoint to get the CRL is made.
Those certificates that get revoked would eventually be removed from the CRL when they have already pass their expiry date. However, only the serial number and the revocation date gets added to the CRL only, therefore the revoked certificates are actually first stored in a database table, but only their serial number and their expiry date is stored there. When the CRL gets queried from the REST endpoint that I mentioned previously, we get the the list of revoked certificates from that database table, and filter out the certificates that had already expired, by comparing their corresponding expiry date to the current date. Those certificates that expires gets removed from the database, as they are no longer needed. Once that is done, a CRL is build on the fly and is returned by the server. The MIME type for CRLs is application/pkix-crl
.
That is pretty much it for this week. Oh and there are finally new interns that are starting their work in AESTE next week, so you do not have to only read my boring blogs from now onwards. 😄
0 Comments