LinuxCommandLibrary

crl.1s

Convert CRL to PEM format

SYNOPSIS

openssl crl options

PARAMETERS

-inform PEM|DER
    Specifies the input format; PEM (default) or DER.

-outform PEM|DER
    Specifies the output format; PEM (default) or DER.

-in filename
    Specifies the input CRL file. If not specified, standard input is used.

-out filename
    Specifies the output CRL file. If not specified, standard output is used.

-text
    Prints the CRL in text form.

-noout
    Suppresses output of the encoded CRL.

-fingerprint
    Calculates and prints the SHA1 fingerprint of the CRL.

-dates
    Prints the lastUpdate and nextUpdate dates of the CRL.

-nextupdate time
    Specifies a different nextUpdate field, used for CRL generation. If it is not present the value defaults to 30 days.

-CAfile file
    Path to the trusted CA certificate file, used for CRL signature verification.

-CApath directory
    Path to a directory containing trusted CA certificates in PEM format, used for CRL signature verification.

-verify
    Verify the CRL signature.

DESCRIPTION

The `crl` command, part of OpenSSL, is used to generate, update, and examine Certificate Revocation Lists (CRLs). CRLs are essential for managing the validity of certificates issued by a Certificate Authority (CA). When a certificate becomes compromised, expired before its indicated expiry date or otherwise invalid, the CA revokes it, and this revocation is recorded in the CRL. The `crl` command can create a new CRL from scratch, add newly revoked certificates to an existing CRL, or output the contents of an existing CRL in a human-readable format. This allows administrators to verify whether a certificate is still considered trusted. It is a crucial tool for maintaining a secure and reliable PKI infrastructure. CRLs can be distributed to clients so that they can verify the validity of certificates. It is used with openssl commands.

EXAMPLES

Display the contents of a CRL in text format:
openssl crl -in crl.pem -text -noout

Verify the signature of a CRL using a CA certificate:
openssl crl -in crl.pem -CAfile ca.pem -verify

SEE ALSO

openssl(1), openssl-ca(1)

Copied to clipboard