One important thing that a Certificate Authority must have is Certificate Revocation List or so called CRL. The most common CA software is OpenSSL so you have to generate CRL in regular basis using OpenSSL command if your CA system relies on OpenSSL

Generating CRL is as follow.

openssl ca -gencrl -keyfile cakey.pem -cert cacert.pem -out cacrl.pem -crldays 30

As a result, you will get cacrl.pem in current directory which valids for 30 days from now.

Revoking:

openssl ca -revoke badcert.pem -keyfile cakey.pem -cert cacert.pem

After this point, don't forget to publish CRL immediately.

Tags: openssl, certificate authority, crl