OpenSSL "crl -text" - View CRL in Test Format

Q

How to view a CRL in text format using the OpenSSL "crl" command? I want to see what certificates are listed in the CRL.

✍: FYIcenter.com

A

If you want to view the content of a CRL (Certificate Revocation List), you can use the OpenSSL "crl -text" command as shown below:

C:\Users\fyicenter>\local\OpenSSL-Win32\bin\openssl.exe

OpenSSL> crl -in my_ca.crl -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=US/ST=TX/L=City/O=FYIcenter.com/OU=Security
           /CN=FYIcenter Root CA/emailAddress=root-ca@fyicenter.com
        Last Update: Sep  2 22:06:15 2016 GMT
        Next Update: Oct  2 22:06:15 2016 GMT
        CRL extensions:
            X509v3 CRL Number:
                4097
Revoked Certificates:
    Serial Number: 1000
        Revocation Date: Sep  1 04:34:26 2016 GMT
    Serial Number: 1002
        Revocation Date: Sep  1 04:43:46 2016 GMT
    Signature Algorithm: sha256WithRSAEncryption
         36:1e:e6:24:a7:53:07:3a:89:a9:87:5b:0d:7d:36:d3:26:60:
         ea:88:2e:05:4b:2b:0f:80:f7:fc:2b:50:3d:60:b7:be:eb:c6:
         9d:ee:81:32:12:4e:48:15:7b:cd:e3:d1:48:98:b0:59:8d:11:
         39:dc:89:8a:06:3a:1a:3d:58:32:d4:51:db:da:da:90:e9:f2:
         7c:a6:92:89:86:43:32:29:d2:56:39:ff:41:3a:d3:e6:72:7c:
         97:cf:bc:fe:f4:06:47:49:3b:5a:63:54:30:50:c0:e5:75:9b:
         3b:b9:ab:f4:11:c2:82:49:cd:0e:17:e1:95:84:53:53:01:af:
         e8:4c

Components of a CRL:

"Version 2 (0x1)" - Indicates the version of the CRL file format: v2.
"Signature Algorithm: sha256WithRSAEncryption" - Indicates the algorithm used in the digital signature: SHA256 with RSA.
"Issuer: /C=US/ST=TX/L=City/O=FYIcenter.com/OU=Security ..." - Indicates the issuer of the CRL: FYIcenter Root CA.
"Last Update: Sep 2 ..." - Indicates the date when this CRL was issued.
"Next Update: Oct 2 ..." - Indicates the date when the next update of this CRL will be issued.
"X509v3 CRL Number: 4097" - Indicates the serial number of this CRL: 4087.
"Revoked Certificates: Serial Number: 1000 ..." - Indicates the list of certificate serial numbers that has been revoked.
"36:1e:e6:24:a7:53:07:3a:89:a9:87:5b:0d:7d:36:d3:26:60:" - Indicates the digital signature of this CRL.

⇒ OpenSSL "ca -selfsign" - Self Sign CSR

⇐ OpenSSL "ca -gencrl" - Generate CRL

⇑ OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-10, 1806👍, 0💬

OpenSSL "ca" Error "... directory for new certificate ..."
Why I am getting the "there needs to be defined a directory for new certificate to be placed in" error when running OpenSSL "ca" command? You are getting the "there needs to be defined a directory for new certificate to be placed in" error, because OpenSSL "ca" command can not find the required "new... 2016-09-09, 5835👍, 0💬

OpenSSL "ca" Error "failed to update database TXT_DB error number 2"
Why I am getting the "failed to update database TXT_DB error number 2" error when running OpenSSL "ca" command? If you are using the OpenSSL "ca" command to sign a CSR that has the same DN (Distinguished Name) fields as an old CSR you have signed before, you will get the "failed to update database T... 2016-09-13, 4389👍, 0💬

OpenSSL "ca" - "error while loading CRL number"
Why I am getting the "error while loading CRL number" error when running OpenSSL "ca -gencrl" command? If you are running the OpenSSL "ca -gencrl" command installed with the slproweb binary package for Windows, you may get the "error while loading CRL number" error as shown below: C:\Users\fyicenter... 2016-09-10, 4292👍, 0💬

OpenSSL "ca -gencrl" - Generate CRL
How to generate a CRL using the OpenSSL "ca" command? I need to publish the CRL to inform users about certificates I have revoked. If you want to generate a CRL (Certificate Revocation List), you can use the OpenSSL "ca -gencrl" command as shown below: C:\Users\fyicenter>\loc al\OpenSSL-Win32\... 2016-09-10, 3142👍, 0💬

OpenSSL "ca -revoke" - Revoke a Certificate
How to revoke a certificate using the OpenSSL "ca" command? The certificate was signed by me with my CA certificate, but now it is no longer needed. If you want revoke a certificate that was signed by you previously, you can use the OpenSSL "ca -revoke" command to revoke it. Actually, the certificat... 2016-09-10, 2259👍, 0💬

OpenSSL "crl -text" - View CRL in Test Format
How to view a CRL in text format using the OpenSSL "crl" command? I want to see what certificates are listed in the CRL. If you want to view the content of a CRL (Certificate Revocation List), you can use the OpenSSL "crl -text" command as shown below: C:\Users\fyicenter>\loc al\OpenSSL-Win32\... 2016-09-10, 1807👍, 0💬

OpenSSL "ca -selfsign" - Self Sign CSR
How to sign my own CSR to create a self-signed certificate using the OpenSSL "ca" command? You can use the OpenSSL "req -new -x509" command to generate a self-signed certificate from your private key. But you can also use the "ca -selfsign" command to generate a self-signed certificate from your CSR... 2016-09-09, 1516👍, 0💬

OpenSSL "ca" - Sign the CSR Again
How to sign the a CSR again the OpenSSL "ca" command? It was signed for 1 year the first time. But the requester wants the certificate to valid for 3 years. If you sign a CSR incorrectly and want to sign it again with the OpenSSL "ca" command, you need to revoke the certificate, then sign it again c... 2016-09-10, 1350👍, 0💬

OpenSSL [ca] Section in Configuration File
How to provide OpenSSL "ca" command options in the configuration file? I see examples of using the [ca] section. Yes, you can use the [ca] section to help providing OpenSSL "ca" command options in the configuration file. But there are 4 ways to provide "ca" command options: 1. Using unnamed section ... 2016-09-09, 1315👍, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.