book cover

OpenSSL Cookbook  3rd Edition

The definitive guide to using the OpenSSL command line for configuration and testing. Topics covered in this book include key and certificate management, server configuration, a step by step guide to creating a private CA, and testing of online services. Written by Ivan Ristić.

2.15 Checking CRL Revocation

Checking certificate verification with a Certificate Revocation List (CRL) is even more involved than doing the same via OCSP. The process is as follows:

  1. Obtain the certificate you wish to check for revocation.

  2. Obtain the issuing certificate.

  3. Download and verify the CRL.

  4. Look for the certificate serial number in the CRL.

The first steps overlap with OCSP checking; to complete them follow the instructions in Section 2.13, Checking OCSP Revocation.

The location of the CRL is encoded in the server certificate; look for the “X509v3 CRL Distribution Points” section in the text output. For example:

$ openssl x509 -in fd.crt -noout -text | grep -A 5 CRL
[...]
                  URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

Then fetch the CRL from the CA:

$ wget http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl -O comodo.crl

Verify that the CRL is valid (i.e., signed by the issuer certificate):

$ openssl crl -in comodo.crl -inform DER -CAfile issuer.crt -noout
verify OK

Now, determine the serial number of the certificate you wish to check:

$ openssl x509 -in fd.crt -noout -serial
serial=F47F09B599124B1F08846AC4D71EB0F2

At this point, you can convert the CRL into a human-readable format and inspect it manually:

$ openssl crl -in comodo.crl -inform DER -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
        Last Update: Aug 31 07:52:03 2020 GMT
        Next Update: Sep  7 07:52:03 2020 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

            X509v3 CRL Number: 
                2149
            1.3.6.1.4.1.311.21.4: 
200903195203Z   .
Revoked Certificates:
    Serial Number: 70DAB4B3229280F04364BC58DB2AB922
        Revocation Date: May 29 12:18:27 2017 GMT
    Serial Number: 51894D40389CDAB84A7A6F3374E1D893
        Revocation Date: May 30 23:20:55 2017 GMT
    [...]
    Signature Algorithm: sha256WithRSAEncryption
         5a:7c:6e:6e:98:05:c4:24:2b:84:7a:28:6f:45:26:33:6b:88:
         4d:dd:61:22:e4:23:47:76:c7:8a:55:ec:f9:72:29:47:21:73:
         [...]

The CRL starts with some metadata, which is followed by a list of revoked certificates, and it ends with a signature (which we verified in the previous step). If the serial number of the server certificate is on the list, that means it had been revoked.

If you don’t want to look for the serial number visually (some CRLs can be quite long), grep for it, but be careful that your formatting matches that used by the crl tool. For example:

$ openssl crl -in comodo.crl -inform DER -text -noout | grep F47F09B599124B1F08846AC4D71EB0F2
< Prev
^ Table of Contents
Next >