CA CRL Database - dogtagpki/pki GitHub Wiki
dn: ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com serialno: 010 ou: crlIssuingPoints objectClass: top objectClass: repository
dn: cn=MasterCRL,ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com objectClass: top objectClass: crlIssuingPointRecord cn: MasterCRL crlNumber: 0218 deltaNumber: 010 crlSize: 010 deltaSize: 02-1 firstUnsaved: -1 revokedCerts:: rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmF jdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAncIAAAAAwAAAAB4 unrevokedCerts:: rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkR mFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAncIAAAAAwAAAAB4 expiredCerts:: rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmF jdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAncIAAAAAwAAAAB4 certificateRevocationList:: MIIBmzCBhAIBATANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDB ZDQSBTaWduaW5nIENlcnRpZmljYXRlFw0yMjA5MTkxNTA3MDBaFw0yMjA5MTkxNzAwMDBaoC8wLTA fBgNVHSMEGDAWgBS3uDl1CFgBPCTwL0T7i25mJAxejjAKBgNVHRQEAwIBEjANBgkqhkiG9w0BAQsF AAOCAQEAnBbdkudwRKouGEYivDgvzEK5+g7BKH+xCSnVLiv/LBB/iZ6izCLNTJ8XI7Jvvr03MgSVp A2Rxi9H8JCXy4W8eVQ2JYk49+yG42Frt9EfYD+0tudUOLJesXfep+YMdVfjfpMNOnP1oa+TeXomaa RXbntgfIreff0lGyAwRo4bblw3lrJz4LKqVJwS+ODwgtFqEH41W+DdihVto37YRsZayvbpoAcbUtH O5S5xK1G6mGB2ZpZ+uIcpIjnvaxrDyi0S1iiURyi+pAHXNrWxZ6vE+si5pUAJURWpYG/0SrfsmJzA h8PnuOAomHrmnRvlVm+KM1BpFVccIIf3WunaZOeipw== nextUpdate: 20220919170000Z thisUpdate: 20220919150700Z
To retrieve the full CRL:
$ ldapsearch \ -H ldap://$HOSTNAME:389 \ -x \ -D "cn=Directory Manager" \ -w Secret.123 \ -b "ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com" \ -o ldif_wrap=no \ -t \ "(objectClass=crlIssuingPointRecord)" \ certificateRevocationList dn: cn=MasterCRL,ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com certificateRevocationList:< file://<path>
To view the full CRL:
$ openssl crl \ -in <path> \ -inform DER \ -text -noout Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate Last Update: Sep 20 18:34:37 2022 GMT Next Update: Sep 21 01:00:00 2022 GMT CRL extensions: X509v3 Authority Key Identifier: 2A:CD:A8:AD:38:37:99:8B:20:6C:52:FA:43:28:1E:48:E4:05:84:5B X509v3 CRL Number: 2 Revoked Certificates: Serial Number: B5BB84A2F079DB51F188038334A4EDC7 Revocation Date: Sep 20 18:34:37 2022 GMT CRL entry extensions: X509v3 CRL Reason Code: Certificate Hold Signature Algorithm: sha256WithRSAEncryption Signature Value: 14:3f:e7:b1:5b:f9:02:90:77:bb:92:83:ea:dc:1b:df:4a:5a: ff:ed:06:39:32:de:bc:f3:09:63:8b:ef:59:8a:ca:69:ed:e5: 2b:8d:3b:8a:11:fd:d8:8a:22:62:ad:29:e2:bc:54:fa:33:fb: 49:c0:a1:09:90:c5:93:ed:cc:da:42:d5:6b:40:35:ef:7b:97: 37:59:0e:ba:d0:60:08:cd:8f:e7:ec:53:b1:0d:05:7e:5f:1d: d3:0c:84:e1:bf:88:85:d8:1f:e4:d2:0c:6a:aa:0f:6d:3d:7a: f0:fd:57:ff:55:18:f8:74:de:1c:55:9a:17:f6:04:04:7e:1e: 4c:25:57:d6:85:40:0b:3a:c4:16:d6:96:20:25:34:99:3f:dd: 33:f2:06:6e:27:17:a0:dc:52:d3:8c:eb:17:75:85:f6:b4:d7: d0:68:d8:c4:c5:b1:9a:4b:67:0e:b8:1d:d6:bd:57:73:52:57: 52:bc:c5:e0:14:13:fc:07:17:5e:0b:26:d4:29:15:2b:bc:90: 28:f2:05:93:c8:f1:ec:6a:02:fb:6e:52:16:0d:34:9e:2d:45: 06:9a:65:7c:0e:c6:b3:00:b0:77:da:84:76:db:75:42:1d:36: 0c:2b:05:02:e9:02:94:c9:73:74:84:76:cc:bd:cc:29:67:71: 52:fa:a0:ff:e4:c4:8a:4b:3d:b9:85:87:24:d6:be:e5:42:45: 7a:a2:0d:a2:c9:27:eb:3c:6e:92:8b:4a:cb:a4:62:a3:0f:0f: 63:5f:d4:c1:d5:7d:18:59:28:03:33:5e:89:9e:63:86:80:8d: f3:4b:13:22:24:c0:ad:e2:21:20:7c:86:86:13:ce:72:14:ff: a7:e7:c1:ba:2f:e8:d3:4e:1d:c5:c7:36:84:a0:87:bd:97:8b: 3d:eb:f4:2b:83:26:18:e9:56:13:bc:78:b7:5e:a3:be:48:55: 70:6b:ce:3f:98:aa:86:2e:8f:96:e9:26:be:7d:69:f6:76:a7: 7e:ba:0f:5c:7b:7e
To retrieve the delta CRL:
$ ldapsearch \ -H ldap://$HOSTNAME:389 \ -x \ -D "cn=Directory Manager" \ -w Secret.123 \ -b "ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com" \ -o ldif_wrap=no \ -t \ "(objectClass=crlIssuingPointRecord)" \ deltaRevocationList dn: cn=MasterCRL,ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com deltaRevocationList:< file://<path>
To view the delta CRL:
$ openssl crl \ -in <path> \ -inform DER \ -text -noout Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate Last Update: Sep 20 18:34:40 2022 GMT Next Update: Sep 20 21:00:00 2022 GMT CRL extensions: X509v3 Authority Key Identifier: 2A:CD:A8:AD:38:37:99:8B:20:6C:52:FA:43:28:1E:48:E4:05:84:5B X509v3 CRL Number: 3 X509v3 Delta CRL Indicator: critical 2 Revoked Certificates: Serial Number: B5BB84A2F079DB51F188038334A4EDC7 Revocation Date: Sep 20 18:34:40 2022 GMT CRL entry extensions: X509v3 CRL Reason Code: Remove From CRL Signature Algorithm: sha256WithRSAEncryption Signature Value: 36:3a:c8:35:e1:3a:fc:a7:75:57:af:d1:da:ed:a1:9b:11:06: f2:33:2c:f4:68:a6:81:76:e6:02:f8:eb:57:8e:00:b7:96:fa: 91:ae:30:24:97:a5:4a:62:a9:ec:f2:d2:2a:30:47:6f:ac:da: 27:8c:84:d6:10:ac:53:55:ec:e7:a7:8c:c0:5f:94:f0:a0:ec: 3d:00:76:fd:66:3a:70:4e:e9:e8:1d:1e:b4:88:cd:ab:27:2b: d0:4e:73:ba:45:b4:7b:75:fc:c1:cb:0b:f6:d4:9e:f8:87:c4: d8:8e:b3:3b:95:be:44:c9:6f:6a:b6:a9:7f:4f:ea:8b:17:67: d3:c9:97:89:53:72:dc:1f:84:4d:fd:62:0f:8c:a6:93:81:00: 60:10:ec:de:ab:07:db:fd:76:20:01:b0:00:2f:be:00:65:15: b5:9c:43:55:f8:22:3e:98:22:bf:eb:67:5e:59:de:fc:94:a2: bd:7c:c2:62:78:f7:28:17:ba:af:95:36:48:92:f8:61:4f:72: 20:47:c7:09:81:d7:a1:0e:50:e8:ed:61:2e:b1:aa:34:af:05: a9:cf:63:fe:20:6e:d4:16:93:89:43:15:88:5b:7f:e4:95:32: a2:6a:2c:9a:de:53:15:21:b7:91:09:54:a0:57:ad:60:54:2b: 4c:95:74:75:fe:d8:45:ed:77:b1:49:f0:6a:71:c5:82:ee:f5: 4f:59:b3:c9:4c:a0:16:95:89:b6:bc:2e:87:15:3d:97:cb:1d: e3:1b:b9:04:fd:51:fb:a9:df:14:32:39:47:a7:01:ba:c9:1b: 70:3f:0c:15:92:9b:c8:ba:30:63:ac:54:0a:d5:84:8d:1a:cf: 35:13:e7:75:15:08:8a:01:c1:de:ac:9f:ac:1c:93:8e:2b:42: 8d:10:83:32:5a:3a:87:27:de:0a:a3:ef:0f:f4:03:d9:30:8b: ab:58:3b:9b:cf:0e:4a:42:02:6e:2e:b7:ae:8e:17:99:0a:d0: 1a:ba:e0:f2:4d:5b