NAME
crl - CRL utility
LIBRARY
libcrypto, -lcrypto
SYNOPSIS
openssl crl [
-inform PEM|DER] [
-outform PEM|DER] [
-text] [
-in filename] [
-out filename] [
-nameopt
option] [
-noout] [
-hash] [
-issuer] [
-lastupdate] [
-nextupdate] [
-CAfile file] [
-CApath
dir]
DESCRIPTION
The
crl command processes CRL files in DER or PEM format.
COMMAND OPTIONS
- -inform DER|PEM
- This specifies the input format. DER format is DER
encoded CRL structure. PEM (the default) is a base64 encoded
version of the DER form with header and footer lines.
- -outform DER|PEM
- This specifies the output format, the options have the same
meaning as the -inform option.
- -in filename
- This specifies the input filename to read from or standard
input if this option is not specified.
- -out filename
- specifies the output filename to write to or standard
output by default.
- -text
- print out the CRL in text form.
- -nameopt option
- option which determines how the subject or issuer names are
displayed. See the description of -nameopt in
openssl_x509(1).
- -noout
- don't output the encoded version of the CRL.
- -hash
- output a hash of the issuer name. This can be use to lookup
CRLs in a directory by issuer name.
- -hash_old
- outputs the "hash" of the CRL issuer name using
the older algorithm as used by OpenSSL versions before 1.0.0.
- -issuer
- output the issuer name.
- -lastupdate
- output the lastUpdate field.
- -nextupdate
- output the nextUpdate field.
- -CAfile file
- verify the signature on a CRL by looking up the issuing
certificate in file
- -CApath dir
- verify the signature on a CRL by looking up the issuing
certificate in dir. This directory must be a standard certificate
directory: that is a hash of each subject name (using x509 -hash)
should be linked to each certificate.
NOTES
The PEM CRL format uses the header and footer lines:
-----BEGIN X509 CRL-----
-----END X509 CRL-----
EXAMPLES
Convert a CRL file from PEM to DER:
openssl crl -in crl.pem -outform DER -out crl.der
Output the text form of a DER encoded certificate:
openssl crl -in crl.der -text -noout
BUGS
Ideally it should be possible to create a CRL using appropriate options and
files too.
SEE ALSO
openssl_crl2pkcs7(1),
openssl_ca(1),
openssl_x509(1)