• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

openssl crl

March 19, 2021 by Mister PKI Leave a Comment

The openssl crl command and utility will process CRL (Certificate Revocation List) files in both DER and PEM format. CRL locations can be found on the X.509 certificate itself, under the “CRL Endpoints” section.

Here is a screenshot from the Mozilla Firefox certificate viewer of the SSL certificate installed at https://example.com.

crl endpoints
crl endpoints

From here, we will download a CRL for demonstration purposes of the openssl crl utility. Before going through the openssl crl command, you may be asking how to view a certificate revocation list? Head over to our online CRL Decoder to parse a pem encoded CRL and view the list of revoked certificates.

To view a list of revoked certificates contained in the CRL, run the following command:

openssl crl -in ssca-sha2-g6.crl -inform DER -text -noout

Where -in ssca-sha2-g6.crl is the CRL downloaded from the example.com certificate, -inform DER specifies that this CRL is in DER format, and -text -noout means to print the contents of the CRL.

Items of interest in the CRL include:

Signature Algorithm: sha256WithRSAEncryption

which shows the CRL is signed with the sha256WithRSAEncryption algorithm.

Serial Number: [redacted]

The serial number of a revoked certificate.

Revocation Date: Apr 18 23:26:49 2020 GMT

The date the certificate with a specified serial number was revoked.

CRL entry extensions:
            X509v3 CRL Reason Code: 
                Key Compromise

Some revocation’s may also include information about why the certificate was revoked, as demonstrated above. Remember, if your private key has been compromised, all encrypted data to your server will be readable by the entity that has a copy of your private key, so you must replace your keys and certificates immediately, as well as fix the issue that allowed your key to be compromised or the new key will just be compromised again.

Additional openssl crl commands

openssl crl check

To check if your certificate has been revoked and included in a CRL, run the following command:

openssl crl -in ssca-sha2-g6.crl -inform DER -text -noout | grep YOUR_SERIAL_NUMBER

To convert a CRL file from DER to PEM format, run the following command:

openssl crl -in ssca-sha2-g6.crl -inform DER -outform PEM -out crl.pem

Where -in ssca-sha2-g6.crl is the previously downloaded CRL, -inform DER must be specified in this conversion to tell openssl that the format is DER, -outform PEM means to convert to PEM format, and -out crl.pem is the file to hold the PEM formatted CRL.

Note the PEM formatted CRL header and footer:

-----BEGIN X509 CRL-----
 -----END X509 CRL-----

To convert a CRL file from PEM to DER format, run the following command:

openssl crl -in crl.pem -outform DER -out crl.der

Where -in crl.pem is the PEM formatted CRL, -outform DER means to convert to DER format, and -out crl.der is the file that will store the DER formatted CRL.

To display the issuer of the CRL, run the following command:

openssl crl -in ssca-sha2-g6.crl -inform DER -issuer -noout

Verify the CRL signature

To verify that the CRL was signed by the outputted issuer, you must first Download the signing certificate from its website or your root store, and point to it in the following command:

openssl crl -in ssca-sha2-g6.crl -inform DER -CAfile DigiCertSHA2SecureServerCA.crt -noout

Where -CAfile cert.crt is the file containing the signing certificate. Look for verify OK to know the signature is valid.

View when the CRL was last updated

To display the date and time the CRL was last updated, run the following command:

openssl crl -in ssca-sha2-g6.crl -inform DER -lastupdate -noout

View when the CRL will next be updated

To display the date and time the CRL will next be updated, run the following command:

openssl crl -in ssca-sha2-g6.crl -inform DER -nextupdate -noout

For information on the openssl crl2pkcs7 command, read this post.

To read more about the new Firefox certificate viewer, check out this article: https://www.ghacks.net/2019/08/27/firefox-71-has-a-new-certificates-viewer/

Read more of our content.

openssl

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • Proxy Addresses Active Directory
  • Windows Private Key Permissions
  • Install .NET 3.5 on Windows Server 2019
  • Netscaler SSL Redirect
  • How to mount NFS share on Linux

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2023