openssl-crl
TLDR
View CRL contents
$ openssl crl -in [crl.pem] -text -noout
Convert PEM to DER$ openssl crl -in [crl.pem] -outform DER -out [crl.der]
Convert DER to PEM$ openssl crl -in [crl.der] -inform DER -out [crl.pem]
Verify CRL signature$ openssl crl -in [crl.pem] -CAfile [ca.crt] -verify
Get CRL hash$ openssl crl -in [crl.pem] -hash -noout
SYNOPSIS
openssl crl [options] [-in file] [-out file]
DESCRIPTION
openssl crl processes Certificate Revocation Lists. CRLs list certificates that have been revoked before their expiration date.
The command can display, convert, and verify CRL files.
PARAMETERS
-in file
Input CRL.-out file
Output file.-inform format
Input format (PEM, DER).-outform format
Output format.-text
Print text form.-noout
Don't output CRL.-verify
Verify signature.-hash
Print hash.-CAfile file
CA certificate.
CRL CONTENTS
$ Issuer - CA that issued CRL
Last Update - When CRL was issued
Next Update - When next CRL expected
Revoked Certs - List of serial numbers
Last Update - When CRL was issued
Next Update - When next CRL expected
Revoked Certs - List of serial numbers
CAVEATS
CRLs can grow large. Consider OCSP for real-time checking. CRL must be current.
HISTORY
CRLs are defined in X.509 standard as part of PKI infrastructure, implemented in OpenSSL since early versions.
SEE ALSO
openssl-ca(1), openssl-verify(1), openssl-ocsp(1)
