Certificate Revoke: Certificate Revocation List (CRL) Structure File Format and OpenSSL CRL Examples Decode CRL
CRL Introduction
CRLs (Certificate Revoke List) are signed data structures that contain a list of revoked certificates. The integrity and authenticity of the CRL is provided by the digital signature appended to the CRL. The signer of the CRL is typically the same entity that signed the issued certificate.
CRL is defined in RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
CRL File Format
CRL encode in X509 format, CRL v2 structure as below:
- Version
- the version of the CRL
- Signature
- This field contains the algorithm identifier for the algorithm used by the CA to sign the certificate.
- Issuer
- The issuer field identifies the entity that has signed and issued the certificate. The issuer field MUST contain a non-empty distinguished name (DN) of the CRL issuer (that is, the signer of the CRL). must always be present and unique.
- This Update
- The time that this CRL was issued, which may be represented in UTC Time or in Generalized Time
- Next Update
- Optionally, the time that the next CRL will be issued
- Revoked Certificates
- The list of revoked certificates, where each certificate is referenced
by a unique identifier includes:
- the unique serial numbers of the revoked certificates.
- the time that the certificate was no longer considered valid.
How to get CRL file
Normally in certificate detail info, you can find CRL extension info, like below:
Then just download CRL file, for example use wget
to download CRL file:
wget http://crl3.digicert.com/CloudflareIncECCCA-3.crl
Note
The downloaded CRL file encoded inDER
format.openssl crl
Examples of Decode CRL File
openssl crl
command processes CRL files in DER or PEM format.
Related openssl crl
command line options:
-in filename
This specifies the input filename to read from or standard input if this option is not specified.
-inform DER|PEM
The CRL input format; unspecified by default.
-out filename
Specifies the output filename to write to or standard output by default.
-outform DER|PEM
The CRL output format; the default is PEM.
-text
Print out the CRL in text form.
-noout
Don't output the encoded version of the CRL.
openssl crl
decode CRL example:
$ openssl crl -in CloudflareIncECCCA-3.crl -inform der -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: ecdsa-with-SHA256
Issuer: /C=US/O=Cloudflare, Inc./CN=Cloudflare Inc ECC CA-3
Last Update: Feb 21 05:35:07 2022 GMT
Next Update: Feb 28 05:35:07 2022 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F
X509v3 CRL Number:
752
Revoked Certificates:
Serial Number: 0BFD09015736DF07C927E49FF74F89CC
Revocation Date: Jul 21 17:13:14 2021 GMT
Serial Number: 0110CA39202DF52507B6FDD326812BBE
Revocation Date: Aug 9 19:51:34 2021 GMT
Serial Number: 07193E9D4D17F5C924E9C07A500D9685
Revocation Date: Aug 17 14:34:20 2021 GMT
Serial Number: 0E3E6941AEB9902D5F0A720D27890897
Revocation Date: Aug 17 17:55:35 2021 GMT
Serial Number: 0A56A48DB8A7EA9E7076F29343E28103
Revocation Date: Aug 18 21:51:38 2021 GMT
Serial Number: 095B664E6167BBE6C20EBCE02046854A
Revocation Date: Sep 2 18:17:13 2021 GMT
Serial Number: 053B85DB7A3DE00A5CC8458FB7CC6AFA
Revocation Date: Sep 8 11:04:01 2021 GMT
Serial Number: 04548F8DF1594B946BB216D318CA1D44
Revocation Date: Oct 14 10:01:12 2021 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
Serial Number: 0AA596194347F5C5931392D9159BFF16
Revocation Date: Oct 18 13:48:55 2021 GMT
Serial Number: 0DE5F07ADF3B83D789E4778D5C0DAB02
Revocation Date: Nov 11 14:18:17 2021 GMT
Serial Number: 08D69E48FAEB2B4167B3B03724C1F8A4
Revocation Date: Jan 26 21:38:09 2022 GMT
Serial Number: 029C08475E55C9D8FE2BD928201E7208
Revocation Date: Jan 26 21:38:18 2022 GMT
Serial Number: 076815D22B5ED218CA64EE64D7C2081C
Revocation Date: Feb 10 19:10:49 2022 GMT
Serial Number: 089DA7998FACEF0D082FECA6A275E19F
Revocation Date: Feb 10 19:11:20 2022 GMT
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:8b:20:d2:92:d2:e0:19:82:c2:ee:4b:31:9a:
76:7a:81:f2:3d:48:d6:cb:21:5c:b2:46:ad:21:41:89:96:fa:
5d:02:21:00:99:fa:9d:0d:05:3d:46:56:6a:e1:23:74:78:cd:
c5:68:a3:4a:98:5e:c1:22:b5:fa:3a:50:52:c6:4b:a3:d7:e9
CRL File Format Convert Between DER and PEM
Convert CRL File From DER to PEM
Use openssl crl
to convert a CRL file from DER to PEM:
$ openssl crl -in CloudflareIncECCCA-3.crl -inform der -outform PEM
-----BEGIN X509 CRL-----
MIIDAjCCAqcCAQEwCgYIKoZIzj0EAwIwSjELMAkGA1UEBhMCVVMxGTAXBgNVBAoT
EENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVDQyBD
QS0zFw0yMjAyMjEwNTM1MDdaFw0yMjAyMjgwNTM1MDdaMIIB+DAhAhAL/QkBVzbf
B8kn5J/3T4nMFw0yMTA3MjExNzEzMTRaMCECEAEQyjkgLfUlB7b90yaBK74XDTIx
MDgwOTE5NTEzNFowIQIQBxk+nU0X9ckk6cB6UA2WhRcNMjEwODE3MTQzNDIwWjAh
AhAOPmlBrrmQLV8Kcg0niQiXFw0yMTA4MTcxNzU1MzVaMCECEApWpI24p+qecHby
k0PigQMXDTIxMDgxODIxNTEzOFowIQIQCVtmTmFnu+bCDrzgIEaFShcNMjEwOTAy
MTgxNzEzWjAhAhAFO4Xbej3gClzIRY+3zGr6Fw0yMTA5MDgxMTA0MDFaMC8CEARU
j43xWUuUa7IW0xjKHUQXDTIxMTAxNDEwMDExMlowDDAKBgNVHRUEAwoBATAhAhAK
pZYZQ0f1xZMTktkVm/8WFw0yMTEwMTgxMzQ4NTVaMCECEA3l8HrfO4PXieR3jVwN
qwIXDTIxMTExMTE0MTgxN1owIQIQCNaeSPrrK0Fns7A3JMH4pBcNMjIwMTI2MjEz
ODA5WjAhAhACnAhHXlXJ2P4r2SggHnIIFw0yMjAxMjYyMTM4MThaMCECEAdoFdIr
XtIYymTuZNfCCBwXDTIyMDIxMDE5MTA0OVowIQIQCJ2nmY+s7w0IL+ymonXhnxcN
MjIwMjEwMTkxMTIwWqAwMC4wHwYDVR0jBBgwFoAUpc436uuwdQ6UZ4i0RfrZJBCH
lh8wCwYDVR0UBAQCAgLwMAoGCCqGSM49BAMCA0kAMEYCIQCLINKS0uAZgsLuSzGa
dnqB8j1I1sshXLJGrSFBiZb6XQIhAJn6nQ0FPUZWauEjdHjNxWijSphewSK1+jpQ
UsZLo9fp
-----END X509 CRL-----
Convert CRL File From PEM to DER
Use openssl crl
to convert a CRL file from PEM to DER:
$ openssl crl -in crl.pem -outform DER -out crl.der
FAQ
Q: Why CRL URL is not https
?
Since CRL file is already digital signed, there is no need to use https.
Related pages:
- Detailed Explanation of PKI Terminology and Definitions
- Online X509 Certificate Viewer / Decoder
- Let's Encrypt CA Root Hierarchy Chain Evolution History
- Certificate Revoke: Online Certificate Status Protocol (OCSP) With Example Request/Response