DH Keys DSA Keys EC Keys Firefox General Google Chrome IE (Internet Explorer) Intermediate CA Java VM JDK Keytool Microsoft CertUtil Mozilla CertUtil OpenSSL Other Portecle Publishers Revoked Certificates Root CA RSA Keys Tools Tutorial What Is Windows

OpenSSL "crl -text" - View CRL in Test Format

Q

How to view a CRL in text format using the OpenSSL "crl" command? I want to see what certificates are listed in the CRL.

✍: FYIcenter.com

A

If you want to view the content of a CRL (Certificate Revocation List), you can use the OpenSSL "crl -text" command as shown below: 

C:\Users\fyicenter>\local\OpenSSL-Win32\bin\openssl.exe

OpenSSL> crl -in my_ca.crl -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=US/ST=TX/L=City/O=FYIcenter.com/OU=Security
           /CN=FYIcenter Root CA/emailAddress=root-ca@fyicenter.com
        Last Update: Sep  2 22:06:15 2016 GMT
        Next Update: Oct  2 22:06:15 2016 GMT
        CRL extensions:
            X509v3 CRL Number:
                4097
Revoked Certificates:
    Serial Number: 1000
        Revocation Date: Sep  1 04:34:26 2016 GMT
    Serial Number: 1002
        Revocation Date: Sep  1 04:43:46 2016 GMT
    Signature Algorithm: sha256WithRSAEncryption
         36:1e:e6:24:a7:53:07:3a:89:a9:87:5b:0d:7d:36:d3:26:60:
         ea:88:2e:05:4b:2b:0f:80:f7:fc:2b:50:3d:60:b7:be:eb:c6:
         9d:ee:81:32:12:4e:48:15:7b:cd:e3:d1:48:98:b0:59:8d:11:
         39:dc:89:8a:06:3a:1a:3d:58:32:d4:51:db:da:da:90:e9:f2:
         7c:a6:92:89:86:43:32:29:d2:56:39:ff:41:3a:d3:e6:72:7c:
         97:cf:bc:fe:f4:06:47:49:3b:5a:63:54:30:50:c0:e5:75:9b:
         3b:b9:ab:f4:11:c2:82:49:cd:0e:17:e1:95:84:53:53:01:af:
         e8:4c

Components of a CRL:

  • "Version 2 (0x1)" - Indicates the version of the CRL file format: v2.
  • "Signature Algorithm: sha256WithRSAEncryption" - Indicates the algorithm used in the digital signature: SHA256 with RSA.
  • "Issuer: /C=US/ST=TX/L=City/O=FYIcenter.com/OU=Security ..." - Indicates the issuer of the CRL: FYIcenter Root CA.
  • "Last Update: Sep 2 ..." - Indicates the date when this CRL was issued.
  • "Next Update: Oct 2 ..." - Indicates the date when the next update of this CRL will be issued.
  • "X509v3 CRL Number: 4097" - Indicates the serial number of this CRL: 4087.
  • "Revoked Certificates: Serial Number: 1000 ..." - Indicates the list of certificate serial numbers that has been revoked.
  • "36:1e:e6:24:a7:53:07:3a:89:a9:87:5b:0d:7d:36:d3:26:60:" - Indicates the digital signature of this CRL.

 

OpenSSL "ca -selfsign" - Self Sign CSR

OpenSSL "ca -gencrl" - Generate CRL

OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-10, 1245👍, 0💬

DH Keys DSA Keys EC Keys Firefox General Google Chrome IE (Internet Explorer) Intermediate CA Java VM JDK Keytool Microsoft CertUtil Mozilla CertUtil OpenSSL Other Portecle Publishers Revoked Certificates Root CA RSA Keys Tools Tutorial What Is Windows