xCertificateImport and Certificate Revocation Lists

[brettjacobson]

Is it possible to use xCertificateImport on .crl's? If so how do you get the thumbprint of a CRL?

[PlagueHO]

@brettjacobson - that is a good question. I've looked into this and I don't think this resource can be used to import a CRL. This is because behind the scenes it is using import-certificate which can't be used to perform CRL import.

That said, it "could" be possible to modify/create a resource that could import/update/remove CRL's. It would require the use of the certutil cmdlet: certutil -addstore CA xyz.crl to add a CRL to a store. certutil -store CA to list all CER and CRL in a CA (this would mean filtering through all the CERs to find a list of CRLs - which would be pretty error prone and even possibly problematic with different locales).

There is a Hash assigned to a CRL that could be used as an identifier for the CRL. However, there isn't a built in .NET object for managing CRL files so the hash would need manually generated.

What I'm saying in summary is that this is possible but will be fiddly and potentially unreliable. What would be good if there were some built in cmdlets created to import/export CRL's like there are for CRT files.

If I get a chance I'll look at this further.