crl.1s
Convert CRL to PEM format
SYNOPSIS
openssl crl options
PARAMETERS
-inform PEM|DER
Specifies the input format; PEM (default) or DER.
-outform PEM|DER
Specifies the output format; PEM (default) or DER.
-in filename
Specifies the input CRL file. If not specified, standard input is used.
-out filename
Specifies the output CRL file. If not specified, standard output is used.
-text
Prints the CRL in text form.
-noout
Suppresses output of the encoded CRL.
-fingerprint
Calculates and prints the SHA1 fingerprint of the CRL.
-dates
Prints the lastUpdate and nextUpdate dates of the CRL.
-nextupdate time
Specifies a different nextUpdate field, used for CRL generation. If it is not present the value defaults to 30 days.
-CAfile file
Path to the trusted CA certificate file, used for CRL signature verification.
-CApath directory
Path to a directory containing trusted CA certificates in PEM format, used for CRL signature verification.
-verify
Verify the CRL signature.
DESCRIPTION
The `crl` command, part of OpenSSL, is used to generate, update, and examine Certificate Revocation Lists (CRLs). CRLs are essential for managing the validity of certificates issued by a Certificate Authority (CA). When a certificate becomes compromised, expired before its indicated expiry date or otherwise invalid, the CA revokes it, and this revocation is recorded in the CRL. The `crl` command can create a new CRL from scratch, add newly revoked certificates to an existing CRL, or output the contents of an existing CRL in a human-readable format. This allows administrators to verify whether a certificate is still considered trusted. It is a crucial tool for maintaining a secure and reliable PKI infrastructure. CRLs can be distributed to clients so that they can verify the validity of certificates. It is used with openssl commands.
EXAMPLES
Display the contents of a CRL in text format:
openssl crl -in crl.pem -text -noout
Verify the signature of a CRL using a CA certificate:
openssl crl -in crl.pem -CAfile ca.pem -verify
SEE ALSO
openssl(1), openssl-ca(1)