crl.1s

Display CRL information in text format

$ openssl crl -in [crl.pem] -text -noout

$ openssl crl -in [crl.pem] -outform DER -out [crl.der]

$ openssl crl -in [crl.der] -inform DER -out [crl.pem]

$ openssl crl -in [crl.pem] -CAfile [ca.pem] -verify

$ openssl crl -in [crl.pem] -issuer -noout

$ openssl crl -in [crl.pem] -lastupdate -nextupdate -noout

openssl crl [options] [-in file] [-out file]

openssl crl is the OpenSSL command for processing Certificate Revocation Lists (CRLs). CRLs are lists of digital certificates that have been revoked by the issuing Certificate Authority before their scheduled expiration date.
The command can parse, convert, and verify CRLs. It supports both PEM (Base64-encoded) and DER (binary) formats. CRL verification ensures the list was signed by the claimed CA and hasn't been tampered with.
CRLs are essential for PKI (Public Key Infrastructure) security, allowing systems to check whether a certificate has been revoked. The command provides detailed information about revoked certificates, revocation dates, and CRL validity periods.

-in FILE

Input CRL file to process.

Output file for the converted CRL.

Input format: PEM or DER.

Output format: PEM or DER.

Print CRL in human-readable text format.

Don't output the encoded CRL.

Verify the signature on the CRL.

CA certificate file for verification.

Print the issuer name.

Print the last update time.

Print the next update time.

Print the hash of the CRL issuer name.

CRLs can become large and may impact performance. Modern systems often prefer OCSP (Online Certificate Status Protocol) for real-time revocation checking. CRL verification requires the CA certificate that signed the CRL.

Certificate Revocation Lists were defined in X.509 standards and implemented in OpenSSL since its early versions. The CRL format was specified in RFC 5280. OpenSSL's crl command provides comprehensive tools for working with this critical PKI component.

x509(1), ca(1), verify(1), openssl(1)