Hello,
I'm currently engaged in a project where I'm utilizing mbedtls for the management of certificates. Within this project, I'm aiming to integrate a revocation feature using Certificate Revocation Lists (CRLs). However, my search for resources on how to effectively implement a comprehensive certificate revocation process using mbedtls has unfortunately yielded no productive outcomes. I am concerned about how to first create a crl file and sign it using my self-signed CA, how to revocate a certificate if we need to revocate it, and how to update the CRL, then when parsing the cert how to detect that this certificate has been revocated. ( I am using LPCXpresso55S16 as a client and raspberry pi as a server and I am doing all with coding).
Thank you in advance for your support.
Best regards, Ahmed.
Hi Ahmed,
I'm afraid Mbed TLS doesn't have code to create CRL, so you'll need to use another library for that part. This runs on the CA, which I understand in your case is the Raspberry Pi, so you can use OpenSSL, for which there are tutorials on the web.
To revoke a certificate, create a CRL including that certificate and sign it. Then send the certificate to the device that will do the certificate verification. This is generally done out of band.
If you verify certificates using Mbed TLS, you can check for revocation. Pass the CRL to mbedtls_x509_crl_parse() to populate a CRL object mbedtls_x509_crl, then pass this object to mbedtls_x509_crt_verify() or its variants. If the certificate is revoked according to the CRL, mbedtls_x509_crt_verify() returns a VERIFY_FAILED error.
Best regards,
mbed-tls@lists.trustedfirmware.org
-
ahmed bouzid -
Gilles Peskine