Certificate Revocation List
From Just Solve the File Format Problem
(Difference between revisions)
(Created page with "{{FormatInfo |formattype=electronic |subcat=Security |extensions={{ext|crl}}, {{ext|pem}} }} A '''Certificate Revocation List''' ('''CRL''') is a cryptographically-signed list...") |
|||
| Line 7: | Line 7: | ||
A CRL file may be encoded in [[PEM]] format, [[DER]] format, or possibly some other format. | A CRL file may be encoded in [[PEM]] format, [[DER]] format, or possibly some other format. | ||
| + | |||
| + | CRL files are becoming less widely-used, in favor of the OCSP protocol. | ||
== Identification == | == Identification == | ||
| Line 14: | Line 16: | ||
To view the contents of a PEM-encoded CRL file, using OpenSSL: | To view the contents of a PEM-encoded CRL file, using OpenSSL: | ||
openssl crl -noout -text -in example.crl | openssl crl -noout -text -in example.crl | ||
| + | |||
| + | To view the contents of a DER-encoded CRL file: | ||
| + | openssl crl -inform DER -noout -text -in example.crl | ||
== Software == | == Software == | ||
* [http://www.openssl.org/ OpenSSL] | * [http://www.openssl.org/ OpenSSL] | ||
| + | |||
| + | == Sample files == | ||
| + | Most SSL certificates contain a link to a CRL file (in the "CRL Distribution Points" extension"), so live CRL files are easy to find. | ||
| + | * [http://gtssldv-crl.geotrust.com/crls/gtssldv.crl gtssldv.crl] | ||
| + | * [http://crl.thawte.com/ThawteEVCA2006.crl ThawteEVCA2006.crl] | ||
| + | * [http://EVSecure-crl.verisign.com/EVSecure2006.crl EVSecure2006.crl] | ||
Revision as of 23:41, 22 October 2013
A Certificate Revocation List (CRL) is a cryptographically-signed list of certificates that a certificate authority has declared to be revoked.
A CRL file may be encoded in PEM format, DER format, or possibly some other format.
CRL files are becoming less widely-used, in favor of the OCSP protocol.
Contents |
Identification
A PEM-encoded CRL file is plain text, with base64-encoded payload data. It contains a line that reads "-----BEGIN X509 CRL -----".
Examples
To view the contents of a PEM-encoded CRL file, using OpenSSL:
openssl crl -noout -text -in example.crl
To view the contents of a DER-encoded CRL file:
openssl crl -inform DER -noout -text -in example.crl
Software
Sample files
Most SSL certificates contain a link to a CRL file (in the "CRL Distribution Points" extension"), so live CRL files are easy to find.
