The openssl crl command and utility will process CRL (Certificate Revocation List) files in both DER and PEM format. CRL locations can be found on the X.509 certificate itself, under the “CRL Endpoints” section.
Here is a screenshot from the Mozilla Firefox certificate viewer of the SSL certificate installed at https://example.com.
From here, we will download a CRL for demonstration purposes of the openssl crl utility.
To view a list of revoked certificates contained in the CRL, run the following command:
openssl crl -in ssca-sha2-g6.crl -inform DER -text -noout
-in ssca-sha2-g6.crl is the CRL downloaded from the example.com certificate,
-inform DER specifies that this CRL is in DER format, and
-text -noout means to print the contents of the CRL.
Items of interest in the CRL include:
Signature Algorithm: sha256WithRSAEncryption
which shows the CRL is signed with the sha256WithRSAEncryption algorithm.
Serial Number: [redacted]
The serial number of a revoked certificate.
Revocation Date: Apr 18 23:26:49 2020 GMT
The date the certificate with a specified serial number was revoked.
CRL entry extensions: X509v3 CRL Reason Code: Key Compromise
Some revocation’s may also include information about why the certificate was revoked, as demonstrated above. Remember, if your private key has been compromised, all encrypted data to your server will be readable by the entity that has a copy of your private key, so you must replace your keys and certificates immediately, as well as fix the issue that allowed your key to be compromised or the new key will just be compromised again.
Additional openssl crl commands
openssl crl check
To check if your certificate has been revoked and included in a CRL, run the following command:
openssl crl -in ssca-sha2-g6.crl -inform DER -text -noout | grep YOUR_SERIAL_NUMBER
To convert a CRL file from DER to PEM format, run the following command:
openssl crl -in ssca-sha2-g6.crl -inform DER -outform PEM -out crl.pem
-in ssca-sha2-g6.crl is the previously downloaded CRL,
-inform DER must be specified in this conversion to tell openssl that the format is DER,
-outform PEM means to convert to PEM format, and
-out crl.pem is the file to hold the PEM formatted CRL.
Note the PEM formatted CRL header and footer:
-----BEGIN X509 CRL----- -----END X509 CRL-----
To convert a CRL file from PEM to DER format, run the following command:
openssl crl -in crl.pem -outform DER -out crl.der
-in crl.pem is the PEM formatted CRL,
-outform DER means to convert to DER format, and
-out crl.der is the file that will store the DER formatted CRL.
To display the issuer of the CRL, run the following command:
openssl crl -in ssca-sha2-g6.crl -inform DER -issuer -noout
Verify the CRL signature
To verify that the CRL was signed by the outputted issuer, you must first Download the signing certificate from its website or your root store, and point to it in the following command:
openssl crl -in ssca-sha2-g6.crl -inform DER -CAfile DigiCertSHA2SecureServerCA.crt -noout
-CAfile cert.crt is the file containing the signing certificate. Look for
verify OK to know the signature is valid.
View when the CRL was last updated
To display the date and time the CRL was last updated, run the following command:
openssl crl -in ssca-sha2-g6.crl -inform DER -lastupdate -noout
View when the CRL will next be updated
To display the date and time the CRL will next be updated, run the following command:
openssl crl -in ssca-sha2-g6.crl -inform DER -nextupdate -noout
For information on the openssl crl2pkcs7 command, read this post.
To read more about the new Firefox certificate viewer, check out this article: https://www.ghacks.net/2019/08/27/firefox-71-has-a-new-certificates-viewer/