pki.util.crlΒΆ

Utilities for Certificate Revocation List (CRL) generation and management.

FunctionsΒΆ

generate_empty_crl(ca_cert, private_key[, ...])

Generate an empty CRL for a CA.

generate_crl_with_revoked_certs(issuing_ca[, ...])

Generate a CRL with revoked certificates for an issuing CA.

Module ContentsΒΆ

pki.util.crl.generate_empty_crl(ca_cert, private_key, hash_algorithm=None, crl_validity_hours=2400, crl_number=1)[source]ΒΆ

Generate an empty CRL for a CA.

Parameters:

  • ca_cert (cryptography.x509.Certificate) – The CA certificate.

  • private_key (cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey | cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey) – The private key of the CA.

  • hash_algorithm (cryptography.hazmat.primitives.hashes.HashAlgorithm | None) – The hash algorithm to use. Defaults to SHA256.

  • crl_validity_hours (int) – Validity period in hours.

  • crl_number (int) – The CRL number to use.

Returns:

The CRL in PEM format.

Return type:

str

pki.util.crl.generate_crl_with_revoked_certs(issuing_ca, crl_validity_hours=24)[source]ΒΆ

Generate a CRL with revoked certificates for an issuing CA.

Parameters:

  • issuing_ca (pki.models.ca.IssuingCaModel) – The issuing CA model instance.

  • crl_validity_hours (int) – Hours until the next CRL update (nextUpdate field).

Returns:

The generated CRL.

Return type:

CertificateRevocationList

Raises:

  • AttributeError – If called on a keyless CA.

  • ValueError – If credential is None for issuing CA.

  • TypeError – If hash algorithm is not allowed.