Reading/Parsing a CRL with OpenSSL

December 22, 2016 · by · in Linux, RDBMS

Below command used to parse and give you a list of revoked serial numbers:

openssl crl -inform DER -text -noout -in mycrl.crl

Most CRLs are DER encoded, but you can use -inform PEM if your CRL is not binary. If you’re unsure if it is DER or PEM open it with a text editor.
If you see —-BEGIN X509 CRL—- then it’s PEM and if you see strange binary-looking garbage characters it’s DER.

[usr@hostname pki]# openssl crl -inform DER -text -noout -in DBVersityInternalDeviceCA.crl | head
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /DC=net/DC=nsroot/CN=DBVersity Internal DeviceCA Untrusted
Last Update: Dec 5 18:44:15 2016 GMT
Next Update: Dec 12 19:04:15 2016 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:44:D3:DF:9C:FB:0C:0F:D6:E5:E3:1F:99:FB:C0:C9:77:27:B7:BA:30

[usr@hostname pki]#
[usr@hostname pki]#
[usr@hostname pki]#
[usr@hostname pki]#
[usr@hostname pki]#

[usr@hostname pki]# openssl crl -inform DER -text -noout -in DBVersityInternalDeviceCA.crl | tail
dc:66:36:89:01:79:5a:56:7c:ae:df:b6:4e:a5:dc:b0:c4:d2:
e0:35:3b:58:dc:92:45:9f:fd:90:ea:01:ef:cf:c6:b0:1f:7d:
c0:f7:fb:1b:37:35:31:7c:1f:e3:90:d0:fc:6b:8a:3b:b9:14:
f5:d1:b1:91:cc:cd:05:b9:a7:a4:af:c6:7a:88:93:8d:c7:04:
80:24:07:60:4c:67:c6:a9:5c:bd:da:df:a0:2d:ac:c5:6b:7e:
1b:98:a5:04:f8:f0:8f:db:5a:ee:25:d5:60:4d:06:10:d6:37:
4a:b3:51:3a:d7:f9:21:78:96:0f:ac:6c:72:b2:d5:75:0e:ea:
81:87:c6:6d:45:d3:f5:99:c2:27:85:f7:04:7f:ea:30:48:2b:
30:98:fc:4b:66:71:70:7c:29:dd:a7:ed:61:02:1f:e8:72:95:
b8:aa:99:7c
[usr@hostname pki]#
[usr@hostname pki]#

[usr@hostname pki]# openssl crl -inform DER -text -noout -in DBVersityInternalDeviceCA.crl | grep Serial | head
Serial Number: 174E0D9EXXXXXXX185D
Serial Number: 3CB7388CXXXXXXX16DC
Serial Number: 61096343XXXXXXX13A9
Serial Number: 71CB7E49XXXXXXX1624
Serial Number: 711B7013XXXXXXX1621
Serial Number: 3063B3E3XXXXXXX199D
Serial Number: 5D98FBA9XXXXXXX1398
Serial Number: 1648DFC9XXXXXXX07A6
Serial Number: 6B596932XXXXXXX17F7
Serial Number: 69C0A1D6XXXXXXX17EC
[usr@hostname pki]#

[usr@hostname pki]# openssl crl -inform DER -text -noout -in DBVersityInternalDeviceCA.crl | grep -A4 Serial | tail
CRL entry extensions:
X509v3 CRL Reason Code:
Superseded
Serial Number: 2283E43EXXXXXXX25A3
Revocation Date: Jun 6 00:53:37 2016 GMT
Serial Number: 2283A838XXXXXXX25A1
Revocation Date: Jun 6 00:53:37 2016 GMT
Signature Algorithm: sha1WithRSAEncryption
65:c8:7c:7b:41:ea:d6:dd:22:89:20:85:93:b1:20:04:56:61:
16:63:47:49:53:8b:2a:27:68:e8:1b:4e:40:e5:3e:f6:93:07:
[usr@hostname pki]#

[usr@hostname pki]# openssl x509 -in /etc/opt/rh/rh-mariadb101/pki/mariadb_cert.pem -serial -noout
serial=60BC3E35XXXXXXX2F62
[usr@hostname pki]#
[usr@hostname pki]# openssl crl -inform DER -text -noout -in DBVersityDeviceCA1G2LAB.crl | grep ’60BC3E35XXXXXXX2F62′
[usr@hostname pki]#
[usr@hostname pki]# openssl crl -inform DER -text -noout -in DBVersityInternalDeviceCA.crl | grep ’60BC3E35XXXXXXX2F62′
[usr@hostname pki]#

  • Ask Question
    • Tags: ,