Mengambil Daftar Pencabutan Sertifikat
Otoritas sertifikasi (CA) bertanggung jawab untuk menerbitkan daftar pencabutan sertifikat (CRL). CRL saat ini dapat diambil dengan menggunakan metode ICertAdmin2::GetCRL . Dalam kasus di mana sertifikat CA telah diperbarui, Anda mungkin perlu mengambil CRL untuk sertifikat CA sebelumnya. Untuk informasi tentang perpanjangan CA, lihat Perpanjangan Otoritas Sertifikasi. Selain itu, CA mungkin menerbitkan CRL delta. Untuk mengambil CRL untuk sertifikat CA yang diperbarui atau CRL delta, gunakan metode ICertAdmin2::GetCAProperty atau ICertRequest2::GetCAProperty .
Contoh berikut menunjukkan pengambilan CRL saat ini.
ICertAdmin2 * pCertAdmin2 = NULL; // pointer to interface object
BSTR bstrCA = NULL; // variable for computer\CAname
BSTR bstrCRL = NULL; // variable to contain the retrieved CRL
HRESULT hr;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
if (FAILED(hr))
{
printf("Failed CoInitializeEx [%x]\n", hr);
goto error;
}
// Create the CertAdmin object,
// and get a pointer to its ICertAdmin interface.
hr = CoCreateInstance( CLSID_CCertAdmin,
NULL,
CLSCTX_INPROC_SERVER,
IID_ICertAdmin2,
(void **)&pCertAdmin2);
if (FAILED(hr))
{
printf("Failed CoCreateInstance pCertAdmin2 [%x]\n", hr);
goto error;
}
// Note the use of two '\' in C++ to produce one '\'.
bstrCA = SysAllocString(L"<COMPUTERNAMEHERE>\\<CANAMEHERE>");
if (bstrCA == NULL)
{
printf("Failed to allocate memory for bstrCA\n");
goto error;
}
// Retrieve the CRL.
hr = pCertAdmin2->GetCRL( bstrCA, CR_OUT_BINARY, &bstrCRL );
if (FAILED(hr))
{
printf("Failed GetCRL [%x]\n", hr);
goto error;
}
else
printf("CRL retrieved successfully\n");
// Use the CRL as needed...
// Processing is finished.
error:
// Free BSTR values.
if (NULL != bstrCA)
SysFreeString(bstrCA);
if (NULL != bstrCRL)
SysFreeString(bstrCRL);
// Clean up object resources.
if (NULL != pCertAdmin2)
pCertAdmin2->Release();
// Free COM resources.
CoUninitialize();
Contoh berikut menunjukkan pengambilan CRL dasar dan delta, termasuk untuk sertifikat CA yang telah diperbarui. Contohnya menggunakan ICertAdmin2::GetCAProperty, meskipun ICertRequest2::GetCAProperty menyediakan fungsionalitas serupa.
LONG nCACertCount, nIndex, nCRLState;
VARIANT variant;
VariantInit(&variant);
// Determine the number of CA certificates.
hr = pCertAdmin2->GetCAProperty(bstrCA,
CR_PROP_CASIGCERTCOUNT,
0,
PROPTYPE_LONG,
CR_OUT_BINARY,
&variant);
if (FAILED(hr))
{
printf("Failed call to GetCAProperty - "
"CR_PROP_CASIGCERTCOUNT\n");
goto error;
}
nCACertCount = variant.lVal;
VariantClear(&variant);
for (nIndex = 0; nIndex < nCACertCount; nIndex++)
{
// Determine the CRL state for each certificate index.
hr = pCertAdmin2->GetCAProperty(bstrCA,
CR_PROP_CRLSTATE,
nIndex,
PROPTYPE_LONG,
CR_OUT_BINARY,
&variant);
if (FAILED(hr))
{
printf("Failed call to GetCAProperty - "
"CR_PROP_CRLSTATE\n");
goto error;
}
nCRLState = variant.lVal;
VariantClear(&variant);
// Process certificate indices only when
// the CRL state is valid.
if (CA_DISP_VALID == nCRLState)
{
// Retrieve the base CRL.
hr = pCertAdmin2->GetCAProperty(bstrCA,
CR_PROP_BASECRL,
nIndex,
PROPTYPE_BINARY,
CR_OUT_BINARY,
&variant);
if (FAILED(hr))
{
printf("Failed call to GetCAProperty - "
"CR_PROP_BASECRL\n");
goto error;
}
// Use the base CRL as needed (not shown).
// ...
VariantClear(&variant);
// Retrieve the delta CRL.
hr = pCertAdmin2->GetCAProperty(bstrCA,
CR_PROP_DELTACRL,
nIndex,
PROPTYPE_BINARY,
CR_OUT_BINARY,
&variant);
if (FAILED(hr))
{
printf("Failed call to GetCAProperty - "
"CR_PROP_DELTACRL\n");
goto error;
}
// Use the delta CRL as needed (not shown).
// ...
VariantClear(&variant);
}
}
// Processing is finished.
error:
// Clean up object resources.
if ( NULL != pCertAdmin2 )
pCertAdmin2->Release();
// Free BSTR variables.
if ( NULL != bstrCA )
SysFreeString ( bstrCA );
// Clear the variant.
VariantClear(&variant);
```