000025711 - Keon: How to generate a CRL using CA API when enable CRL publishing is not set

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025711
Applies ToKeon Certificate Authority 6.5 API
Sun Solaris 2.8
Microsoft Windows 2000
IssueKeon: How to generate a CRL using CA API when enable CRL publishing is not set
CauseIf a CRL is generated using the sample CACreateCRL.C program, a mechanism is required to retrieve it. If CRL publishing is not enabled, there is no standard way to read the generated CRL.
ResolutionThe CACreateCRL.C program may be modified to allow the CRL to be saved to file. If the sample code is modified, firstly, with the addition of an additional function:

/*
        Convert generated CRL to PEM format
        and output to file                
*/
Xrc OutputCRL( XANY crl ){
        FILE        *outfile;
        char        *pem;
        char        buf[4096];

        outfile=fopen("CA1.crl", "w+");
        if (outfile != NULL)
        {
                XudaXPTOctetsToPem(crl, &pem);

                sprintf(buf,"-----BEGIN X509 CRL-----\n%s-----END X509 CRL-----", pem);
                fwrite(buf, 1, strlen(buf), outfile);
                XudaMEMFREE(pem);
   pem = NULL;
                fclose(outfile);
        }
        else {
                printf("cannot open crl file.\n");
                return XrcWRITEFAILURE;        
        }
 return XrcOK;
}

Then a change to the main section of the program.  Locate the following line:

                fprintf(stdout, "CRL creation succeeds\n");

and add the following additional line directly below it:

                OutputCRL(crl);

This will then call the new function and save the CRL into the file "CA1.crl", PEM encoded.
Legacy Article IDa14654

Attachments

    Outcomes