Checking certificate verification with a Certificate Revocation List (CRL) is even more involved than doing the same via OCSP. The process is as follows:
Obtain the certificate you wish to check for revocation.
Obtain the issuing certificate.
Download and verify the CRL.
Look for the certificate serial number in the CRL.
The first steps overlap with OCSP checking; to complete them follow the instructions in Section 2.13, Checking OCSP Revocation.
The location of the CRL is encoded in the server certificate; look for the “X509v3 CRL Distribution Points” section in the text output. For example:
$ openssl x509 -in fd.crt -noout -text | grep -A 5 CRL [...] URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
Then fetch the CRL from the CA:
$ wget http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl -O comodo.crl
Verify that the CRL is valid (i.e., signed by the issuer certificate):
$ openssl crl -in comodo.crl -inform DER -CAfile issuer.crt -noout verify OK
Now, determine the serial number of the certificate you wish to check:
$ openssl x509 -in fd.crt -noout -serial serial=F47F09B599124B1F08846AC4D71EB0F2
At this point, you can convert the CRL into a human-readable format and inspect it manually:
$ openssl crl -in comodo.crl -inform DER -text -noout Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA Last Update: Aug 31 07:52:03 2020 GMT Next Update: Sep 7 07:52:03 2020 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 X509v3 CRL Number: 2149 188.8.131.52.4.1.311.21.4: 200903195203Z . Revoked Certificates: Serial Number: 70DAB4B3229280F04364BC58DB2AB922 Revocation Date: May 29 12:18:27 2017 GMT Serial Number: 51894D40389CDAB84A7A6F3374E1D893 Revocation Date: May 30 23:20:55 2017 GMT [...] Signature Algorithm: sha256WithRSAEncryption 5a:7c:6e:6e:98:05:c4:24:2b:84:7a:28:6f:45:26:33:6b:88: 4d:dd:61:22:e4:23:47:76:c7:8a:55:ec:f9:72:29:47:21:73: [...]
The CRL starts with some metadata, which is followed by a list of revoked certificates, and it ends with a signature (which we verified in the previous step). If the serial number of the server certificate is on the list, that means it had been revoked.
If you don’t want to look for the serial number visually (some CRLs can be quite long), grep for it, but be careful that your formatting matches that used by the
crl tool. For example:
$ openssl crl -in comodo.crl -inform DER -text -noout | grep F47F09B599124B1F08846AC4D71EB0F2