Add possibility for Sub-CA to be revoked, Removed auto-creation of empty crl for revokecertificate call with CA

[KircMax]

Proposed changes

Describe the changes here to communicate to the maintainers why we should accept this pull request. If it fixes a bug or resolves a feature request, be sure to link to that issue.

Related Issues

• Fixes How to Revoke a Sub-CA using RevokeCertificate of CertificateGroup #3536

Types of changes

What types of changes does your code introduce?
Put an x in the boxes that apply. You can also fill these out after creating the PR.

• Bugfix (non-breaking change which fixes an issue)
• Enhancement (non-breaking change which adds functionality)
• Test enhancement (non-breaking change to increase test coverage)
• Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
• Documentation Update (if none of the other choices apply)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

• I have read the CONTRIBUTING doc.
• I have signed the CLA.
• I ran tests locally with my changes, all passed.
• I fixed all failing tests in the CI pipelines.
• I fixed all introduced issues with CodeQL and LGTM.
• I have added tests that prove my fix is effective or that my feature works and increased code coverage.
• I have added necessary documentation (if appropriate).
• Any dependent changes have been merged and published in downstream modules.

Further comments

If we do want to keep the comfort with the empty crl creation for cas we could add that if the CA is a root-ca but I am not sure that this is great behaviour to have that 'different handling'.

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...

[codecov]

Codecov Report

❌ Patch coverage is 0% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.76%. Comparing base (d25caff) to head (a9e9449).
⚠️ Report is 112 commits behind head on master.

Files with missing lines	Patch %	Lines
...ack/Opc.Ua.Core/Security/Certificates/X509Utils.cs	0.00%	10 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3547      +/-   ##
==========================================
+ Coverage   51.86%   57.76%   +5.89%     
==========================================
  Files         370      359      -11     
  Lines       78618    75151    -3467     
  Branches    13650    13276     -374     
==========================================
+ Hits        40779    43411    +2632     
+ Misses      33705    27578    -6127     
- Partials     4134     4162      +28     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[KircMax]

maybe we should throw here when the certificate is 'self-signed' (root-CA) or back to the comfort and just provide the CRL without the root cert ?

[romanett]

yeah please throw when it is a self signed cert, it makes not sense to revoke in this case.

[marcschier]

No dependency on BouncyCastle except for netframework. This needs to be done using .net APIs.

[romanett]

this method is only called by tests and not used by the GDS Library, not so shure what to think about that.