OpenSSL "ca -gencrl" - Generate CRL

Q

How to generate a CRL using the OpenSSL "ca" command? I need to publish the CRL to inform users about certificates I have revoked.

✍: FYIcenter.com

A

If you want to generate a CRL (Certificate Revocation List), you can use the OpenSSL "ca -gencrl" command as shown below:

C:\Users\fyicenter>\local\OpenSSL-Win32\bin\openssl.exe

OpenSSL> ca -gencrl -keyfile my_ca.key -cert my_ca.crt -out my_ca.crl
Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:fyicenter

OpenSSL>exit

C:\Users\fyicenter>type my_ca.crl
-----BEGIN X509 CRL-----
MIIBnTCCAQYCAQEwDQYJKoZIhvcNAQELBQAwgZYxCzAJBgNVBAYTAlVTMQswCQYD
VQQIDAJUWDENMAsGA1UEBwwEQ2l0eTEWMBQGA1UECgwNRllJY2VudGVyLmNvbTER
MA8GA1UECwwIU2VjdXJpdHkxGjAYBgNVBAMMEUZZSWNlbnRlciBSb290IENBMSQw
IgYJKoZIhvcNAQkBFhVyb290LWNhQGZ5aWNlbnRlci5jb20XDTE2MDkwMjE4MDQx
OVoXDTE2MTAwMjE4MDQxOVowKjATAgIQABcNMTYwOTAxMDAzNDI2WjATAgIQAhcN
MTYwOTAxMDE0MzQ2WqAPMA0wCwYDVR0UBAQCAhAAMA0GCSqGSIb3DQEBCwUAA4GB
AJi8u8UZ23ygK/bZP4rMXOiFwcK+edwYZGa8or9U76j4yA7u7qlEg5VwzTn0FcEF
FITl85awHJGehuTE3b3uCR/UtgFnR6OHFN6U+DsJbBrw8573ardp+a3dxRLbiVec
DIPxvSpdHqAEe5Z3bcc9ZfEj2BueC0Q0q3dAUy0533JL
-----END X509 CRL-----

Notes about the above test:

  • The "-gencrl" option tells the "ca" command to generate a CRL file based on the certificate database.
  • The "-keyfile my_ca.key" option tells "ca" command to read the private key from the given file.
  • The "-cert my_ca.crt " option tells "ca" command to read the CA certificate from the given file.
  • The "-out my_ca.crl" option tells "ca" command to store CRL in the given file.

 

OpenSSL "crl -text" - View CRL in Test Format

OpenSSL "ca" - "error while loading CRL number"

OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-10, 2127👍, 0💬