Certificate revocation lists

To publish lists of revoked certificates, Document Rails utilizes X.509 CRL infrastructure and status list publishers.

Certificate revocation lists created using the API are bound to a single certificate authority. Certificate authorities may have multiple certificate revocation lists attached to them to keep published CRLs small.

Certificate revocation lists are synchronized with status lish publishers on new updates, but the operation itself is asynchronous and may take some time before changes are visible.

To start using certificate revocation lists in Document Rails, you can create one using the API:

Create a certificate revocation list (JavaScript)

import { createCertificateRevocationList } from "@vaultie/document-rails";

const response = await createCertificateRevocationList(
    client,
    accessToken,
    organizationId,
    {
        // Certificate authority to bound this CRL to.
        certificate_authority_id: certificateAuthorityId,

        // External identifier to publish this CRL under.
        //
        // For example, if your status lish publisher URL is "https://example.com",
        // the final CRL URL would be "https://example.com/Testing" in this case.
        external_id: "Testing",
    },
);

After that, when you create either a subordinate certificate authority or an end-entity certificate, you can specify the certificate revocation list identifier to attach its URL to the generated X.509 certificate.

Create a new end-entity certificate with the certificate revocation list (JavaScript)

import { issueWithCertificateAuthority } from "@vaultie/document-rails";

const response = await issueWithCertificateAuthority(
    client,
    accessToken,
    organizationId,
    certificateAuthorityId,
    {
        // ...

        // Certificate revocation list identifier.
        certificate_revocation_list_id: certificateRevocationListId,
    }
);