OpenSSL "ca -gencrl" - Generate CRL

Q

How to generate a CRL using the OpenSSL "ca" command? I need to publish the CRL to inform users about certificates I have revoked.

✍: FYIcenter.com

A

If you want to generate a CRL (Certificate Revocation List), you can use the OpenSSL "ca -gencrl" command as shown below:

C:\Users\fyicenter>\local\OpenSSL-Win32\bin\openssl.exe

OpenSSL> ca -gencrl -keyfile my_ca.key -cert my_ca.crt -out my_ca.crl
Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:fyicenter

OpenSSL>exit

C:\Users\fyicenter>type my_ca.crl
-----BEGIN X509 CRL-----
MIIBnTCCAQYCAQEwDQYJKoZIhvcNAQELBQAwgZYxCzAJBgNVBAYTAlVTMQswCQYD
VQQIDAJUWDENMAsGA1UEBwwEQ2l0eTEWMBQGA1UECgwNRllJY2VudGVyLmNvbTER
MA8GA1UECwwIU2VjdXJpdHkxGjAYBgNVBAMMEUZZSWNlbnRlciBSb290IENBMSQw
IgYJKoZIhvcNAQkBFhVyb290LWNhQGZ5aWNlbnRlci5jb20XDTE2MDkwMjE4MDQx
OVoXDTE2MTAwMjE4MDQxOVowKjATAgIQABcNMTYwOTAxMDAzNDI2WjATAgIQAhcN
MTYwOTAxMDE0MzQ2WqAPMA0wCwYDVR0UBAQCAhAAMA0GCSqGSIb3DQEBCwUAA4GB
AJi8u8UZ23ygK/bZP4rMXOiFwcK+edwYZGa8or9U76j4yA7u7qlEg5VwzTn0FcEF
FITl85awHJGehuTE3b3uCR/UtgFnR6OHFN6U+DsJbBrw8573ardp+a3dxRLbiVec
DIPxvSpdHqAEe5Z3bcc9ZfEj2BueC0Q0q3dAUy0533JL
-----END X509 CRL-----

Notes about the above test:

The "-gencrl" option tells the "ca" command to generate a CRL file based on the certificate database.
The "-keyfile my_ca.key" option tells "ca" command to read the private key from the given file.
The "-cert my_ca.crt " option tells "ca" command to read the CA certificate from the given file.
The "-out my_ca.crl" option tells "ca" command to store CRL in the given file.

⇒ OpenSSL "crl -text" - View CRL in Test Format

⇐ OpenSSL "ca" - "error while loading CRL number"

⇑ OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-10, ≈14🔥, 0💬

💬 2024-03-12 Chris: Thanks for this :)

💬 2022-04-11 yaqeen: openssl ca -config myCA_openssl.cnf -policy policy_anything \ -md sha256 -days 3650 \ -in server.csr -out server.crt -batch \ -c...

OpenSSL "ca" Error "failed to update database TXT_DB error number 2"
Why I am getting the "failed to update database TXT_DB error number 2" error when running OpenSSL "ca" command? If you are using the OpenSSL "ca" command to sign a CSR that has the same DN (Distinguished Name) fields as an old CSR you have signed before, you will get the "failed to update database T... 2016-09-13, ≈15🔥, 0💬

OpenSSL "ca -gencrl" - Generate CRL
How to generate a CRL using the OpenSSL "ca" command? I need to publish the CRL to inform users about certificates I have revoked. If you want to generate a CRL (Certificate Revocation List), you can use the OpenSSL "ca -gencrl" command as shown below: C:\Users\fyicenter>\loc al\OpenSSL-Win32\... 2016-09-10, ≈14🔥, 0💬

OpenSSL "crl -text" - View CRL in Test Format
How to view a CRL in text format using the OpenSSL "crl" command? I want to see what certificates are listed in the CRL. If you want to view the content of a CRL (Certificate Revocation List), you can use the OpenSSL "crl -text" command as shown below: C:\Users\fyicenter>\loc al\OpenSSL-Win32\... 2016-09-10, ≈13🔥, 0💬

OpenSSL "ca" - "error while loading CRL number"
Why I am getting the "error while loading CRL number" error when running OpenSSL "ca -gencrl" command? If you are running the OpenSSL "ca -gencrl" command installed with the slproweb binary package for Windows, you may get the "error while loading CRL number" error as shown below: C:\Users\fyicenter... 2016-09-10, ∼9065🔥, 0💬

OpenSSL "ca -revoke" - Revoke a Certificate
How to revoke a certificate using the OpenSSL "ca" command? The certificate was signed by me with my CA certificate, but now it is no longer needed. If you want revoke a certificate that was signed by you previously, you can use the OpenSSL "ca -revoke" command to revoke it. Actually, the certificat... 2016-09-10, ∼8278🔥, 0💬

OpenSSL [ca] Section in Configuration File
How to provide OpenSSL "ca" command options in the configuration file? I see examples of using the [ca] section. Yes, you can use the [ca] section to help providing OpenSSL "ca" command options in the configuration file. But there are 4 ways to provide "ca" command options: 1. Using unnamed section ... 2016-09-09, ∼5206🔥, 0💬

OpenSSL "ca -selfsign" - Self Sign CSR
How to sign my own CSR to create a self-signed certificate using the OpenSSL "ca" command? You can use the OpenSSL "req -new -x509" command to generate a self-signed certificate from your private key. But you can also use the "ca -selfsign" command to generate a self-signed certificate from your CSR... 2016-09-09, ∼4021🔥, 0💬

OpenSSL "ca -config" - Using Configuration File
Can I use my own configuration file when running "ca" command? Yes, you can specify your own configuration file using the "-config file" option when running the "ca" command. OpenSSL configuration file allows you to control the behavior of the "ca" command with the following options: certificate - T... 2016-09-09, ∼3451🔥, 0💬

OpenSSL "ca" - Sign the CSR Again
How to sign the a CSR again the OpenSSL "ca" command? It was signed for 1 year the first time. But the requester wants the certificate to valid for 3 years. If you sign a CSR incorrectly and want to sign it again with the OpenSSL "ca" command, you need to revoke the certificate, then sign it again c... 2016-09-10, ∼3191🔥, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.