wolfSSL has long provided solid CRL decode and validation support. This update builds on that foundation by adding CRL generation and signing capabilities, along with certificate extension helpers that improve revocation-aware certificate creation workflows.
What is a CRL?
A Certificate Revocation List (CRL) is a signed list published by a certificate authority (CA) that identifies certificates that should no longer be trusted before their normal expiration date, defined in RFC 5280. Each entry typically includes the revoked certificate’s serial number and revocation time, and clients use the CRL to reject certificates that have been compromised, misissued, or otherwise invalidated. In practice, CRLs are a core PKI safety mechanism that complements normal certificate path validation by adding explicit “do not trust” status information.
CRL Build Flow
The following APIs enable teams generating certificates and CRLs in embedded, PKI, and compliance-heavy environments. You can now build more of the lifecycle directly in wolfSSL: set extension metadata, assemble revoked entries, sign CRLs, and emit DER/PEM outputs without custom glue around private internals.
Use case 1: Build, sign, and write a CRL
/* Use case 1: Build/sign/write a CRL */ WOLFSSL_X509_CRL* crl = wolfSSL_X509_CRL_new(); wolfSSL_X509_CRL_set_issuer_name(crl, X509_get_subject_name(caCert)); wolfSSL_X509_CRL_add_revoked_cert(crl, revokedCertDer, revokedCertDerSz); wolfSSL_X509_CRL_sign(crl, caKey, wolfSSL_EVP_sha256()); wolfSSL_write_X509_CRL(crl, "ca.crl.pem", WOLFSSL_FILETYPE_PEM); wolfSSL_X509_CRL_free(crl);
Use case 2: Add revocation-related cert metadata during cert creation
/* Use case 2: Add cert extensions for chain + revocation metadata */ wolfSSL_X509_set_subject_key_id_ex(cert); wolfSSL_X509_set_authority_key_id_ex(cert, issuerCert); wolfSSL_X509_CRL_add_dist_point(cert, "http://pki.example.com/ca.crl", 0); wolfSSL_X509_set_ns_cert_type(cert, WC_NS_SSL_CLIENT | WC_NS_SSL_SERVER); wolfSSL_X509_sign(cert, issuerKey, wolfSSL_EVP_sha256());
These additions make it easier to keep certificate issuance and revocation workflows in one place, using wolfSSL end-to-end for both CRL handling and CRL creation.
Download:
Please reach out to facts@wolfssl.com for information regarding using the WolfSSL CRL generation in your project.
Questions?
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now