clean-crl - Man Page

remove orphaned CRL like files from a certificate directory


clean-crl [-l crlpath] [-v] [-V] [-n] [-h]


The clean-crl utility will remove CRL like files named hash.rn from the directory specified with the -l option if there is no corresponding .n file in the same. In effect, if the directory is solely used to hold CA certificates in the common OpenSSL format, it will thus remove CRL files for which the corresponding CA does  not or no longer exists in the directory.


-h --help

Show help text.

-l --cadir metadata-directory

The script will search this directory for files with the suffix .ri. There is no default - a common choice is /etc/pki/tls/certs,  /etc/openldap/cacerts, or /etc/grid-security/certificates.

-V --version

Display version number (same as corresponding fetch-crl)

-v --verbose

Verbose mode

-n --dryrun

Do not actually remove any files (useful primarily with -v)




This tool does not check the contents of the files removed, and will blindly unlink any file which even remotely looks like an OpenSSL CRL file. Use with extreme caution.

See Also

fetch-crl(8), openssl(1),


Exit status is normally 0; if an error occurs, exit status is 1 and diagnostics will be written to standard error.


Licensed under the Apache License, Version 2.0 (the "License");


Does not check the contents of the files removed.


local Trust Anchor Utilities