Managing Certificate Revocation Lists (CRLs)

Introduction to Certificate Revocation Lists (CRLs)

Certificate Revocation Lists (CRLs) are a crucial component of maintaining the security and reliability of certificate-based authentication systems, such as Mutual TLS (mTLS). A CRL provides a list of certificates that have been revoked before their scheduled expiration dates, and thus should not be trusted. Revocation can occur for various reasons, including compromise of the private key, cessation of the purpose for which the certificate was issued, or violation of policy.

CRLs are used by network services to verify the status of a digital certificate. When a client presents a certificate to a server during the authentication process, the server checks the CRL to ensure that the certificate has not been revoked, thereby preventing any potentially compromised credentials from being accepted.

Managing CRLs Through Our REST API

Our system simplifies the management of CRLs by providing a dedicated REST API for handling certificate revocation lists. This API allows customers to upload and update CRLs, which are then automatically deployed to our MQTT broker. This ensures that the broker always uses the most current revocation data, enhancing the security of device communications.

API Usage for CRL Management

The REST API located at {{api_path}}/certificate_revocation_lists supports a comprehensive set of operations to create, read, update, and delete CRLs. Here's how you can interact with the API:

Creating a CRL

To upload a new Certificate Revocation List, you can send a POST request with the PEM encoded CRL and the associated company ID. This ensures that the revocation list is applied specifically to the certificates tied to your company. The payload for creating a CRL looks like this:

{
  "company_id": "<company_id>",
  "crl": "<PEM encoded CRL>"
}

Updating a CRL

If you need to make changes to an existing CRL, use a PUT request at the same endpoint. This method requires you to send the updated PEM-encoded CRL along with the company ID. The updated CRL will replace the previous one in the system, ensuring that the latest revocation details are active. Here is a sample payload for updating a CRL:

{
  "company_id": "<company_id>",
  "crl": "<PEM encoded CRL>"
}

Deleting a CRL

To delete a CRL, you must first retrieve the specific CRL ID using a LIST command, which provides an overview of all CRLs and their associated IDs. Once you have the CRL ID, you can send a DELETE request to remove the specific CRL from the system. This method ensures that only the intended CRL is deleted, maintaining accurate and secure certificate revocation practices. Here’s how you might retrieve and delete a CRL:

# To retrieve CRL IDs
GET {{api_path}}/certificate_revocation_lists

# To delete a specific CRL
DELETE {{api_path}}/certificate_revocation_lists/<crl_id>

Deployment to the MQTT Broker

Once a CRL is uploaded or updated, it is automatically deployed to the MQTT broker. This integration ensures that any revoked certificates are immediately recognized and disallowed for use, maintaining the integrity of your system's security.