Hi Ahmed,
I'm afraid Mbed TLS doesn't have code to create CRL, so you'll need to
use another library for that part. This runs on the CA, which I
understand in your case is the Raspberry Pi, so you can use OpenSSL, for
which there are tutorials on the web.
To revoke a certificate, create a CRL including that certificate and
sign it. Then send the certificate to the device that will do the
certificate verification. This is generally done out of band.
If you verify certificates using Mbed TLS, you can check for revocation.
Pass the CRL to mbedtls_x509_crl_parse() to populate a CRL object
mbedtls_x509_crl, then pass this object to mbedtls_x509_crt_verify() or
its variants. If the certificate is revoked according to the CRL,
mbedtls_x509_crt_verify() returns a VERIFY_FAILED error.
Best regards,
--
Gilles Peskine
Mbed TLS developer
On 10/08/2023 20:50, ahmed bouzid via mbed-tls wrote:
> Hello,
>
> I'm currently engaged in a project where I'm utilizing mbedtls for the management of certificates. Within this project, I'm aiming to integrate a revocation feature using Certificate Revocation Lists (CRLs). However, my search for resources on how to effectively implement a comprehensive certificate revocation process using mbedtls has unfortunately yielded no productive outcomes.
> I am concerned about how to first create a crl file and sign it using my self-signed CA, how to revocate a certificate if we need to revocate it, and how to update the CRL, then when parsing the cert how to detect that this certificate has been revocated. ( I am using LPCXpresso55S16 as a client and raspberry pi as a server and I am doing all with coding).
>
> Thank you in advance for your support.
>
> Best regards,
> Ahmed.