openssl-crl.1ossl - Man Page

CRL command

Synopsis

openssl crl [-help] [-inform DER|PEM] [-outform DER|PEM] [-key filename] [-keyform DER|PEM|P12] [-dateopt] [-text] [-in filename] [-out filename] [-gendelta filename] [-badsig] [-verify] [-noout] [-hash] [-hash_old] [-fingerprint] [-crlnumber] [-issuer] [-lastupdate] [-nextupdate] [-nameopt option] [-CAfile file] [-no-CAfile] [-CApath dir] [-no-CApath] [-CAstore uri] [-no-CAstore] [-provider name] [-provider-path path] [-propquery propq]

Description

This command processes CRL files in DER or PEM format.

Options

-help

Print out a usage message.

-inform DER|PEM

The CRL input format; unspecified by default. See openssl-format-options(1) for details.

-outform DER|PEM

The CRL output format; the default is PEM. See openssl-format-options(1) for details.

-key filename

The private key to be used to sign the CRL.

-keyform DER|PEM|P12

The format of the private key file; unspecified by default. See openssl-format-options(1) for details.

-in filename

This specifies the input filename to read from or standard input if this option is not specified.

-out filename

Specifies the output filename to write to or standard output by default.

-gendelta filename

Output a comparison of the main CRL and the one specified here.

-badsig

Corrupt the signature before writing it; this can be useful for testing.

-dateopt

Specify the date output format. Values are: rfc_822 and iso_8601. Defaults to rfc_822.

-text

Print out the CRL in text form.

-verify

Verify the signature in the CRL.

-noout

Don't output the encoded version of the CRL.

-fingerprint

Output the fingerprint of the CRL.

-crlnumber

Output the number of the CRL.

-hash

Output a hash of the issuer name. This can be use to lookup CRLs in a directory by issuer name.

-hash_old

Outputs the “hash” of the CRL issuer name using the older algorithm as used by OpenSSL before version 1.0.0.

-issuer

Output the issuer name.

-lastupdate

Output the lastUpdate field.

-nextupdate

Output the nextUpdate field.

-nameopt option

This specifies how the subject or issuer names are displayed. See openssl-namedisplay-options(1) for details.

-CAfile file, -no-CAfile,  -CApath dir, -no-CApath,  -CAstore uri, -no-CAstore

See “Trusted Certificate Options” in openssl-verification-options(1) for details.

-provider name
-provider-path path
-propquery propq

See “Provider Options” in openssl(1), provider(7), and property(7).

Examples

Convert a CRL file from PEM to DER:

 openssl crl -in crl.pem -outform DER -out crl.der

Output the text form of a DER encoded certificate:

 openssl crl -in crl.der -text -noout

Bugs

Ideally it should be possible to create a CRL using appropriate options and files too.

See Also

openssl(1), openssl-crl2pkcs7(1), openssl-ca(1), openssl-x509(1), ossl_store-file(7)

Referenced By

openssl.1ossl(1), openssl-cmds.1ossl(1), openssl-rehash.1ossl(1), X509_LOOKUP_hash_dir.3ossl(3).

2021-09-09 3.0.0 OpenSSL