OpenSSL "crl -text" - View CRL in Test Format

Q

How to view a CRL in text format using the OpenSSL "crl" command? I want to see what certificates are listed in the CRL.

✍: FYIcenter.com

A

If you want to view the content of a CRL (Certificate Revocation List), you can use the OpenSSL "crl -text" command as shown below:

C:\Users\fyicenter>\local\OpenSSL-Win32\bin\openssl.exe

OpenSSL> crl -in my_ca.crl -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=US/ST=TX/L=City/O=FYIcenter.com/OU=Security
           /CN=FYIcenter Root CA/emailAddress=root-ca@fyicenter.com
        Last Update: Sep  2 22:06:15 2016 GMT
        Next Update: Oct  2 22:06:15 2016 GMT
        CRL extensions:
            X509v3 CRL Number:
                4097
Revoked Certificates:
    Serial Number: 1000
        Revocation Date: Sep  1 04:34:26 2016 GMT
    Serial Number: 1002
        Revocation Date: Sep  1 04:43:46 2016 GMT
    Signature Algorithm: sha256WithRSAEncryption
         36:1e:e6:24:a7:53:07:3a:89:a9:87:5b:0d:7d:36:d3:26:60:
         ea:88:2e:05:4b:2b:0f:80:f7:fc:2b:50:3d:60:b7:be:eb:c6:
         9d:ee:81:32:12:4e:48:15:7b:cd:e3:d1:48:98:b0:59:8d:11:
         39:dc:89:8a:06:3a:1a:3d:58:32:d4:51:db:da:da:90:e9:f2:
         7c:a6:92:89:86:43:32:29:d2:56:39:ff:41:3a:d3:e6:72:7c:
         97:cf:bc:fe:f4:06:47:49:3b:5a:63:54:30:50:c0:e5:75:9b:
         3b:b9:ab:f4:11:c2:82:49:cd:0e:17:e1:95:84:53:53:01:af:
         e8:4c

Components of a CRL:

  • "Version 2 (0x1)" - Indicates the version of the CRL file format: v2.
  • "Signature Algorithm: sha256WithRSAEncryption" - Indicates the algorithm used in the digital signature: SHA256 with RSA.
  • "Issuer: /C=US/ST=TX/L=City/O=FYIcenter.com/OU=Security ..." - Indicates the issuer of the CRL: FYIcenter Root CA.
  • "Last Update: Sep 2 ..." - Indicates the date when this CRL was issued.
  • "Next Update: Oct 2 ..." - Indicates the date when the next update of this CRL will be issued.
  • "X509v3 CRL Number: 4097" - Indicates the serial number of this CRL: 4087.
  • "Revoked Certificates: Serial Number: 1000 ..." - Indicates the list of certificate serial numbers that has been revoked.
  • "36:1e:e6:24:a7:53:07:3a:89:a9:87:5b:0d:7d:36:d3:26:60:" - Indicates the digital signature of this CRL.

 

OpenSSL "ca -selfsign" - Self Sign CSR

OpenSSL "ca -gencrl" - Generate CRL

OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-10, 1245👍, 0💬