Add items to the CRL
To add the certificate information to the CRL, use Items property of TElCertificateRevocationList.
You can create new certificate revocation list or load an existing list.
To load the CRL, call corresponding LoadFromStream*() or LoadFromBuffer*() methods of TElCertificateRevocationList.
Asterisk denotes format name or nothing in case of DER format.
CRLs can be stored in DER and PEM formats.
For description of various formats of CRLs see the corresponding how-to article.
Each item represents one certificate.
The item is represented by TElRevocationItem.
Items can be accessed via Items property, and added using Add() method.
The CRL includes the following information about the certificate:
- certificate serial number (TElRevocationItem.SerialNumber property);
- revocation date, i.e. the moment, starting from which the certificate is treated as not valid (TElRevocationItem.RevocationDate property).
This date can be not final, if invalidity date (see below) is present.
- optional extensions (TElRevocationItem.Extensions property), which include
- revocation reason (the set of reasons is predefined);
- certificate issuer name (see comments below);
- invalidity date. This property specifies, when the certificate is known to become invalid, and can be earlier than revocation date;
- other extensions as defined by the standard.
The standard doesn't require, that the certificates, included in the CRL, are issued with the same CA certificate, so you can put certificates from various CAs to the same CRL.
Note, that if the latter situation is the case, you need to provide the name of the certificate issuer via TElRevocationItem.Extensions.IssuerName property.
If you don't provide the issuer name, and two certificates have the same serial number, a conflict will arise.
After you add the certificates to the list, remember to save the CRL as described in the corresponding how-to article.
For more information about CRLs see RFC 3280.