Adds a certificate to a CRL.

pkiutil issuecrl -addrevocation <cert> -cacert <cacert> -caprivkey <caprivkey> -crlfile <crlfile> -revdate <revdate> -thisupdate <thisupdate> -nextupdate <nextupdate> -sigalg <sigalg> [-sigalg <sigalg>... -sigalg <sigalg>]

For example:

pkiutil issuecrl -cacert compositeca.pem -caprivkey priv.pem -crlfile composite.crl -addrevocation mysubcert.cer -revdate 28/7/2021 -nextupdate 03/02/2022 -sigalg SHA256withRSA -sigalg SHA256withECDSA

See below for a description of each option.

-addrevocation <cert>
-cacert <cacert>
-caprivkey <caprivkey>
-crlfile <crlfile>
-nextupdate <nextupdate>
-revdate <revdate>
-sigalg <sigalg>
-thisupdate <thisupdate>

-addrevocation <cert>

Add the <cert> certificate to the CRL, where <cert> is the name of a file containing the certificate.

Mandatory: Yes.

-cacert <cacert>

Select the CA using <cacert>, where <cacert> is the name of a file containing the CA certificate.

Mandatory: Yes.

-caprivkey <caprivkey>

Sign the CRL with the <caprivkey> key, where <caprivkey> is the name of a file containing the CA private key.

Mandatory: Yes.

-crlfile <crlfile>

Add the certificate to the <crlfile> CRL, where <crlfile> is the name of a file generated with pkiutil issuecrl -createnew.

Mandatory: Yes.

-nextupdate <nextupdate>

Set <nextupdate> as the value of the NextUpdate field described in RFC5280.

Mandatory: Yes.

-revdate <revdate>

Set <revdate> as the revocation date for the certificate.

Mandatory: Yes.

-sigalg <sigalg>

Sign the CRL with the <sigalg> algorithm, where <sigalg> is one of the algorithm identifiers listed in PKIUtil algorithm reference . Select more than one algorithm to generate a composite CRL .

Mandatory: Yes.

-thisupdate <thisupdate>

Set <thisupdate> as the value of the This Update field described in RFC5280.

Mandatory: Yes.