Certificate Revoke: Certificate Revocation List (CRL) Structure File Format and OpenSSL CRL Examples Decode CRL

Page content

CRL Introduction

CRLs (Certificate Revoke List) are signed data structures that contain a list of revoked certificates. The integrity and authenticity of the CRL is provided by the digital signature appended to the CRL. The signer of the CRL is typically the same entity that signed the issued certificate.

CRL is defined in RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

CRL File Format

CRL encode in X509 format, CRL v2 structure as below:

CRL v2 structure

Version
the version of the CRL
Signature
This field contains the algorithm identifier for the algorithm used by the CA to sign the certificate.
Issuer
The issuer field identifies the entity that has signed and issued the certificate. The issuer field MUST contain a non-empty distinguished name (DN) of the CRL issuer (that is, the signer of the CRL). must always be present and unique.
This Update
The time that this CRL was issued, which may be represented in UTC Time or in Generalized Time
Next Update
Optionally, the time that the next CRL will be issued
Revoked Certificates
The list of revoked certificates, where each certificate is referenced by a unique identifier includes:
  • the unique serial numbers of the revoked certificates.
  • the time that the certificate was no longer considered valid.

How to get CRL file

Normally in certificate detail info, you can find CRL extension info, like below:

certificate crl extension

Then just download CRL file, for example use wget to download CRL file:

wget http://crl3.digicert.com/CloudflareIncECCCA-3.crl

openssl crl Examples of Decode CRL File

openssl crl command processes CRL files in DER or PEM format.

Related openssl crl command line options:

-in filename
    This specifies the input filename to read from or standard input if this option is not specified.

-inform DER|PEM
    The CRL input format; unspecified by default.

-out filename
    Specifies the output filename to write to or standard output by default.

-outform DER|PEM
    The CRL output format; the default is PEM.

-text
    Print out the CRL in text form.

-noout
    Don't output the encoded version of the CRL.

openssl crl decode CRL example:

$ openssl crl -in CloudflareIncECCCA-3.crl -inform der -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: /C=US/O=Cloudflare, Inc./CN=Cloudflare Inc ECC CA-3
        Last Update: Feb 21 05:35:07 2022 GMT
        Next Update: Feb 28 05:35:07 2022 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F

            X509v3 CRL Number:
                752
Revoked Certificates:
    Serial Number: 0BFD09015736DF07C927E49FF74F89CC
        Revocation Date: Jul 21 17:13:14 2021 GMT
    Serial Number: 0110CA39202DF52507B6FDD326812BBE
        Revocation Date: Aug  9 19:51:34 2021 GMT
    Serial Number: 07193E9D4D17F5C924E9C07A500D9685
        Revocation Date: Aug 17 14:34:20 2021 GMT
    Serial Number: 0E3E6941AEB9902D5F0A720D27890897
        Revocation Date: Aug 17 17:55:35 2021 GMT
    Serial Number: 0A56A48DB8A7EA9E7076F29343E28103
        Revocation Date: Aug 18 21:51:38 2021 GMT
    Serial Number: 095B664E6167BBE6C20EBCE02046854A
        Revocation Date: Sep  2 18:17:13 2021 GMT
    Serial Number: 053B85DB7A3DE00A5CC8458FB7CC6AFA
        Revocation Date: Sep  8 11:04:01 2021 GMT
    Serial Number: 04548F8DF1594B946BB216D318CA1D44
        Revocation Date: Oct 14 10:01:12 2021 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Key Compromise
    Serial Number: 0AA596194347F5C5931392D9159BFF16
        Revocation Date: Oct 18 13:48:55 2021 GMT
    Serial Number: 0DE5F07ADF3B83D789E4778D5C0DAB02
        Revocation Date: Nov 11 14:18:17 2021 GMT
    Serial Number: 08D69E48FAEB2B4167B3B03724C1F8A4
        Revocation Date: Jan 26 21:38:09 2022 GMT
    Serial Number: 029C08475E55C9D8FE2BD928201E7208
        Revocation Date: Jan 26 21:38:18 2022 GMT
    Serial Number: 076815D22B5ED218CA64EE64D7C2081C
        Revocation Date: Feb 10 19:10:49 2022 GMT
    Serial Number: 089DA7998FACEF0D082FECA6A275E19F
        Revocation Date: Feb 10 19:11:20 2022 GMT
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:8b:20:d2:92:d2:e0:19:82:c2:ee:4b:31:9a:
         76:7a:81:f2:3d:48:d6:cb:21:5c:b2:46:ad:21:41:89:96:fa:
         5d:02:21:00:99:fa:9d:0d:05:3d:46:56:6a:e1:23:74:78:cd:
         c5:68:a3:4a:98:5e:c1:22:b5:fa:3a:50:52:c6:4b:a3:d7:e9

CRL File Format Convert Between DER and PEM

Convert CRL File From DER to PEM

Use openssl crl to convert a CRL file from DER to PEM:

$ openssl crl -in CloudflareIncECCCA-3.crl -inform der -outform PEM
-----BEGIN X509 CRL-----
MIIDAjCCAqcCAQEwCgYIKoZIzj0EAwIwSjELMAkGA1UEBhMCVVMxGTAXBgNVBAoT
EENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVDQyBD
QS0zFw0yMjAyMjEwNTM1MDdaFw0yMjAyMjgwNTM1MDdaMIIB+DAhAhAL/QkBVzbf
B8kn5J/3T4nMFw0yMTA3MjExNzEzMTRaMCECEAEQyjkgLfUlB7b90yaBK74XDTIx
MDgwOTE5NTEzNFowIQIQBxk+nU0X9ckk6cB6UA2WhRcNMjEwODE3MTQzNDIwWjAh
AhAOPmlBrrmQLV8Kcg0niQiXFw0yMTA4MTcxNzU1MzVaMCECEApWpI24p+qecHby
k0PigQMXDTIxMDgxODIxNTEzOFowIQIQCVtmTmFnu+bCDrzgIEaFShcNMjEwOTAy
MTgxNzEzWjAhAhAFO4Xbej3gClzIRY+3zGr6Fw0yMTA5MDgxMTA0MDFaMC8CEARU
j43xWUuUa7IW0xjKHUQXDTIxMTAxNDEwMDExMlowDDAKBgNVHRUEAwoBATAhAhAK
pZYZQ0f1xZMTktkVm/8WFw0yMTEwMTgxMzQ4NTVaMCECEA3l8HrfO4PXieR3jVwN
qwIXDTIxMTExMTE0MTgxN1owIQIQCNaeSPrrK0Fns7A3JMH4pBcNMjIwMTI2MjEz
ODA5WjAhAhACnAhHXlXJ2P4r2SggHnIIFw0yMjAxMjYyMTM4MThaMCECEAdoFdIr
XtIYymTuZNfCCBwXDTIyMDIxMDE5MTA0OVowIQIQCJ2nmY+s7w0IL+ymonXhnxcN
MjIwMjEwMTkxMTIwWqAwMC4wHwYDVR0jBBgwFoAUpc436uuwdQ6UZ4i0RfrZJBCH
lh8wCwYDVR0UBAQCAgLwMAoGCCqGSM49BAMCA0kAMEYCIQCLINKS0uAZgsLuSzGa
dnqB8j1I1sshXLJGrSFBiZb6XQIhAJn6nQ0FPUZWauEjdHjNxWijSphewSK1+jpQ
UsZLo9fp
-----END X509 CRL-----

Convert CRL File From PEM to DER

Use openssl crl to convert a CRL file from PEM to DER:

$ openssl crl -in crl.pem -outform DER -out crl.der

FAQ

Q: Why CRL URL is not https?

Since CRL file is already digital signed, there is no need to use https.

References