Skip to content

CA CRL Database

Endi S. Dewata edited this page Sep 20, 2022 · 3 revisions

CRL Container

dn: ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com
serialno: 010
ou: crlIssuingPoints
objectClass: top
objectClass: repository

CRL Record

dn: cn=MasterCRL,ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com
objectClass: top
objectClass: crlIssuingPointRecord
cn: MasterCRL
crlNumber: 0218
deltaNumber: 010
crlSize: 010
deltaSize: 02-1
firstUnsaved: -1
revokedCerts:: rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmF
 jdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAncIAAAAAwAAAAB4
unrevokedCerts:: rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkR
 mFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAncIAAAAAwAAAAB4
expiredCerts:: rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmF
 jdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAncIAAAAAwAAAAB4
certificateRevocationList:: MIIBmzCBhAIBATANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDB
 ZDQSBTaWduaW5nIENlcnRpZmljYXRlFw0yMjA5MTkxNTA3MDBaFw0yMjA5MTkxNzAwMDBaoC8wLTA
 fBgNVHSMEGDAWgBS3uDl1CFgBPCTwL0T7i25mJAxejjAKBgNVHRQEAwIBEjANBgkqhkiG9w0BAQsF
 AAOCAQEAnBbdkudwRKouGEYivDgvzEK5+g7BKH+xCSnVLiv/LBB/iZ6izCLNTJ8XI7Jvvr03MgSVp
 A2Rxi9H8JCXy4W8eVQ2JYk49+yG42Frt9EfYD+0tudUOLJesXfep+YMdVfjfpMNOnP1oa+TeXomaa
 RXbntgfIreff0lGyAwRo4bblw3lrJz4LKqVJwS+ODwgtFqEH41W+DdihVto37YRsZayvbpoAcbUtH
 O5S5xK1G6mGB2ZpZ+uIcpIjnvaxrDyi0S1iiURyi+pAHXNrWxZ6vE+si5pUAJURWpYG/0SrfsmJzA
 h8PnuOAomHrmnRvlVm+KM1BpFVccIIf3WunaZOeipw==
nextUpdate: 20220919170000Z
thisUpdate: 20220919150700Z

Retrieving Full CRL

To retrieve the full CRL:

$ ldapsearch \
    -H ldap://$HOSTNAME:389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -b "ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com" \
    -o ldif_wrap=no \
    -t \
    "(objectClass=crlIssuingPointRecord)" \
    certificateRevocationList
dn: cn=MasterCRL,ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com
certificateRevocationList:< file://<path>

To view the full CRL:

$ openssl crl \
    -in <path> \
    -inform DER \
    -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate
        Last Update: Sep 20 18:34:37 2022 GMT
        Next Update: Sep 21 01:00:00 2022 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                2A:CD:A8:AD:38:37:99:8B:20:6C:52:FA:43:28:1E:48:E4:05:84:5B
            X509v3 CRL Number:
                2
Revoked Certificates:
    Serial Number: B5BB84A2F079DB51F188038334A4EDC7
        Revocation Date: Sep 20 18:34:37 2022 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Certificate Hold
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        14:3f:e7:b1:5b:f9:02:90:77:bb:92:83:ea:dc:1b:df:4a:5a:
        ff:ed:06:39:32:de:bc:f3:09:63:8b:ef:59:8a:ca:69:ed:e5:
        2b:8d:3b:8a:11:fd:d8:8a:22:62:ad:29:e2:bc:54:fa:33:fb:
        49:c0:a1:09:90:c5:93:ed:cc:da:42:d5:6b:40:35:ef:7b:97:
        37:59:0e:ba:d0:60:08:cd:8f:e7:ec:53:b1:0d:05:7e:5f:1d:
        d3:0c:84:e1:bf:88:85:d8:1f:e4:d2:0c:6a:aa:0f:6d:3d:7a:
        f0:fd:57:ff:55:18:f8:74:de:1c:55:9a:17:f6:04:04:7e:1e:
        4c:25:57:d6:85:40:0b:3a:c4:16:d6:96:20:25:34:99:3f:dd:
        33:f2:06:6e:27:17:a0:dc:52:d3:8c:eb:17:75:85:f6:b4:d7:
        d0:68:d8:c4:c5:b1:9a:4b:67:0e:b8:1d:d6:bd:57:73:52:57:
        52:bc:c5:e0:14:13:fc:07:17:5e:0b:26:d4:29:15:2b:bc:90:
        28:f2:05:93:c8:f1:ec:6a:02:fb:6e:52:16:0d:34:9e:2d:45:
        06:9a:65:7c:0e:c6:b3:00:b0:77:da:84:76:db:75:42:1d:36:
        0c:2b:05:02:e9:02:94:c9:73:74:84:76:cc:bd:cc:29:67:71:
        52:fa:a0:ff:e4:c4:8a:4b:3d:b9:85:87:24:d6:be:e5:42:45:
        7a:a2:0d:a2:c9:27:eb:3c:6e:92:8b:4a:cb:a4:62:a3:0f:0f:
        63:5f:d4:c1:d5:7d:18:59:28:03:33:5e:89:9e:63:86:80:8d:
        f3:4b:13:22:24:c0:ad:e2:21:20:7c:86:86:13:ce:72:14:ff:
        a7:e7:c1:ba:2f:e8:d3:4e:1d:c5:c7:36:84:a0:87:bd:97:8b:
        3d:eb:f4:2b:83:26:18:e9:56:13:bc:78:b7:5e:a3:be:48:55:
        70:6b:ce:3f:98:aa:86:2e:8f:96:e9:26:be:7d:69:f6:76:a7:
        7e:ba:0f:5c:7b:7e

Retrieving Delta CRL

To retrieve the delta CRL:

$ ldapsearch \
    -H ldap://$HOSTNAME:389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -b "ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com" \
    -o ldif_wrap=no \
    -t \
    "(objectClass=crlIssuingPointRecord)" \
    deltaRevocationList
dn: cn=MasterCRL,ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com
deltaRevocationList:< file://<path>

To view the delta CRL:

$ openssl crl \
    -in <path> \
    -inform DER \
    -text -noout
 Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate
        Last Update: Sep 20 18:34:40 2022 GMT
        Next Update: Sep 20 21:00:00 2022 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                2A:CD:A8:AD:38:37:99:8B:20:6C:52:FA:43:28:1E:48:E4:05:84:5B
            X509v3 CRL Number:
                3
            X509v3 Delta CRL Indicator: critical
                2
Revoked Certificates:
    Serial Number: B5BB84A2F079DB51F188038334A4EDC7
        Revocation Date: Sep 20 18:34:40 2022 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Remove From CRL
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        36:3a:c8:35:e1:3a:fc:a7:75:57:af:d1:da:ed:a1:9b:11:06:
        f2:33:2c:f4:68:a6:81:76:e6:02:f8:eb:57:8e:00:b7:96:fa:
        91:ae:30:24:97:a5:4a:62:a9:ec:f2:d2:2a:30:47:6f:ac:da:
        27:8c:84:d6:10:ac:53:55:ec:e7:a7:8c:c0:5f:94:f0:a0:ec:
        3d:00:76:fd:66:3a:70:4e:e9:e8:1d:1e:b4:88:cd:ab:27:2b:
        d0:4e:73:ba:45:b4:7b:75:fc:c1:cb:0b:f6:d4:9e:f8:87:c4:
        d8:8e:b3:3b:95:be:44:c9:6f:6a:b6:a9:7f:4f:ea:8b:17:67:
        d3:c9:97:89:53:72:dc:1f:84:4d:fd:62:0f:8c:a6:93:81:00:
        60:10:ec:de:ab:07:db:fd:76:20:01:b0:00:2f:be:00:65:15:
        b5:9c:43:55:f8:22:3e:98:22:bf:eb:67:5e:59:de:fc:94:a2:
        bd:7c:c2:62:78:f7:28:17:ba:af:95:36:48:92:f8:61:4f:72:
        20:47:c7:09:81:d7:a1:0e:50:e8:ed:61:2e:b1:aa:34:af:05:
        a9:cf:63:fe:20:6e:d4:16:93:89:43:15:88:5b:7f:e4:95:32:
        a2:6a:2c:9a:de:53:15:21:b7:91:09:54:a0:57:ad:60:54:2b:
        4c:95:74:75:fe:d8:45:ed:77:b1:49:f0:6a:71:c5:82:ee:f5:
        4f:59:b3:c9:4c:a0:16:95:89:b6:bc:2e:87:15:3d:97:cb:1d:
        e3:1b:b9:04:fd:51:fb:a9:df:14:32:39:47:a7:01:ba:c9:1b:
        70:3f:0c:15:92:9b:c8:ba:30:63:ac:54:0a:d5:84:8d:1a:cf:
        35:13:e7:75:15:08:8a:01:c1:de:ac:9f:ac:1c:93:8e:2b:42:
        8d:10:83:32:5a:3a:87:27:de:0a:a3:ef:0f:f4:03:d9:30:8b:
        ab:58:3b:9b:cf:0e:4a:42:02:6e:2e:b7:ae:8e:17:99:0a:d0:
        1a:ba:e0:f2:4d:5b
Clone this wiki locally