crl.1s

openssl crl options

-inform PEM|DER
    Specifies the input format; PEM (default) or DER.

-outform PEM|DER
    Specifies the output format; PEM (default) or DER.

-in filename
    Specifies the input CRL file. If not specified, standard input is used.

-out filename
    Specifies the output CRL file. If not specified, standard output is used.

-text
    Prints the CRL in text form.

-noout
    Suppresses output of the encoded CRL.

-fingerprint
    Calculates and prints the SHA1 fingerprint of the CRL.

-dates
    Prints the lastUpdate and nextUpdate dates of the CRL.

-nextupdate time
    Specifies a different nextUpdate field, used for CRL generation. If it is not present the value defaults to 30 days.

-CAfile file
    Path to the trusted CA certificate file, used for CRL signature verification.

-CApath directory
    Path to a directory containing trusted CA certificates in PEM format, used for CRL signature verification.

-verify
    Verify the CRL signature.

The `crl` command, part of OpenSSL, is used to generate, update, and examine Certificate Revocation Lists (CRLs). CRLs are essential for managing the validity of certificates issued by a Certificate Authority (CA). When a certificate becomes compromised, expired before its indicated expiry date or otherwise invalid, the CA revokes it, and this revocation is recorded in the CRL. The `crl` command can create a new CRL from scratch, add newly revoked certificates to an existing CRL, or output the contents of an existing CRL in a human-readable format. This allows administrators to verify whether a certificate is still considered trusted. It is a crucial tool for maintaining a secure and reliable PKI infrastructure. CRLs can be distributed to clients so that they can verify the validity of certificates. It is used with openssl commands.

Display the contents of a CRL in text format:
openssl crl -in crl.pem -text -noout

Verify the signature of a CRL using a CA certificate:
openssl crl -in crl.pem -CAfile ca.pem -verify

openssl(1), openssl-ca(1)