CA CRL Database - dogtagpki/pki GitHub Wiki
dn: ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com serialno: 010 ou: crlIssuingPoints objectClass: top objectClass: repository
dn: cn=MasterCRL,ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com objectClass: top objectClass: crlIssuingPointRecord cn: MasterCRL crlNumber: 0218 deltaNumber: 010 crlSize: 010 deltaSize: 02-1 firstUnsaved: -1 revokedCerts:: rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmF jdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAncIAAAAAwAAAAB4 unrevokedCerts:: rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkR mFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAncIAAAAAwAAAAB4 expiredCerts:: rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmF jdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAncIAAAAAwAAAAB4 certificateRevocationList:: MIIBmzCBhAIBATANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDB ZDQSBTaWduaW5nIENlcnRpZmljYXRlFw0yMjA5MTkxNTA3MDBaFw0yMjA5MTkxNzAwMDBaoC8wLTA fBgNVHSMEGDAWgBS3uDl1CFgBPCTwL0T7i25mJAxejjAKBgNVHRQEAwIBEjANBgkqhkiG9w0BAQsF AAOCAQEAnBbdkudwRKouGEYivDgvzEK5+g7BKH+xCSnVLiv/LBB/iZ6izCLNTJ8XI7Jvvr03MgSVp A2Rxi9H8JCXy4W8eVQ2JYk49+yG42Frt9EfYD+0tudUOLJesXfep+YMdVfjfpMNOnP1oa+TeXomaa RXbntgfIreff0lGyAwRo4bblw3lrJz4LKqVJwS+ODwgtFqEH41W+DdihVto37YRsZayvbpoAcbUtH O5S5xK1G6mGB2ZpZ+uIcpIjnvaxrDyi0S1iiURyi+pAHXNrWxZ6vE+si5pUAJURWpYG/0SrfsmJzA h8PnuOAomHrmnRvlVm+KM1BpFVccIIf3WunaZOeipw== nextUpdate: 20220919170000Z thisUpdate: 20220919150700Z
To retrieve the full CRL:
$ ldapsearch \
-H ldap://$HOSTNAME:389 \
-x \
-D "cn=Directory Manager" \
-w Secret.123 \
-b "ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com" \
-o ldif_wrap=no \
-t \
"(objectClass=crlIssuingPointRecord)" \
certificateRevocationList
dn: cn=MasterCRL,ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com
certificateRevocationList:< file://<path>
To view the full CRL:
$ openssl crl \
-in <path> \
-inform DER \
-text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate
Last Update: Sep 20 18:34:37 2022 GMT
Next Update: Sep 21 01:00:00 2022 GMT
CRL extensions:
X509v3 Authority Key Identifier:
2A:CD:A8:AD:38:37:99:8B:20:6C:52:FA:43:28:1E:48:E4:05:84:5B
X509v3 CRL Number:
2
Revoked Certificates:
Serial Number: B5BB84A2F079DB51F188038334A4EDC7
Revocation Date: Sep 20 18:34:37 2022 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Certificate Hold
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
14:3f:e7:b1:5b:f9:02:90:77:bb:92:83:ea:dc:1b:df:4a:5a:
ff:ed:06:39:32:de:bc:f3:09:63:8b:ef:59:8a:ca:69:ed:e5:
2b:8d:3b:8a:11:fd:d8:8a:22:62:ad:29:e2:bc:54:fa:33:fb:
49:c0:a1:09:90:c5:93:ed:cc:da:42:d5:6b:40:35:ef:7b:97:
37:59:0e:ba:d0:60:08:cd:8f:e7:ec:53:b1:0d:05:7e:5f:1d:
d3:0c:84:e1:bf:88:85:d8:1f:e4:d2:0c:6a:aa:0f:6d:3d:7a:
f0:fd:57:ff:55:18:f8:74:de:1c:55:9a:17:f6:04:04:7e:1e:
4c:25:57:d6:85:40:0b:3a:c4:16:d6:96:20:25:34:99:3f:dd:
33:f2:06:6e:27:17:a0:dc:52:d3:8c:eb:17:75:85:f6:b4:d7:
d0:68:d8:c4:c5:b1:9a:4b:67:0e:b8:1d:d6:bd:57:73:52:57:
52:bc:c5:e0:14:13:fc:07:17:5e:0b:26:d4:29:15:2b:bc:90:
28:f2:05:93:c8:f1:ec:6a:02:fb:6e:52:16:0d:34:9e:2d:45:
06:9a:65:7c:0e:c6:b3:00:b0:77:da:84:76:db:75:42:1d:36:
0c:2b:05:02:e9:02:94:c9:73:74:84:76:cc:bd:cc:29:67:71:
52:fa:a0:ff:e4:c4:8a:4b:3d:b9:85:87:24:d6:be:e5:42:45:
7a:a2:0d:a2:c9:27:eb:3c:6e:92:8b:4a:cb:a4:62:a3:0f:0f:
63:5f:d4:c1:d5:7d:18:59:28:03:33:5e:89:9e:63:86:80:8d:
f3:4b:13:22:24:c0:ad:e2:21:20:7c:86:86:13:ce:72:14:ff:
a7:e7:c1:ba:2f:e8:d3:4e:1d:c5:c7:36:84:a0:87:bd:97:8b:
3d:eb:f4:2b:83:26:18:e9:56:13:bc:78:b7:5e:a3:be:48:55:
70:6b:ce:3f:98:aa:86:2e:8f:96:e9:26:be:7d:69:f6:76:a7:
7e:ba:0f:5c:7b:7e
To retrieve the delta CRL:
$ ldapsearch \
-H ldap://$HOSTNAME:389 \
-x \
-D "cn=Directory Manager" \
-w Secret.123 \
-b "ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com" \
-o ldif_wrap=no \
-t \
"(objectClass=crlIssuingPointRecord)" \
deltaRevocationList
dn: cn=MasterCRL,ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=example,dc=com
deltaRevocationList:< file://<path>
To view the delta CRL:
$ openssl crl \
-in <path> \
-inform DER \
-text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate
Last Update: Sep 20 18:34:40 2022 GMT
Next Update: Sep 20 21:00:00 2022 GMT
CRL extensions:
X509v3 Authority Key Identifier:
2A:CD:A8:AD:38:37:99:8B:20:6C:52:FA:43:28:1E:48:E4:05:84:5B
X509v3 CRL Number:
3
X509v3 Delta CRL Indicator: critical
2
Revoked Certificates:
Serial Number: B5BB84A2F079DB51F188038334A4EDC7
Revocation Date: Sep 20 18:34:40 2022 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Remove From CRL
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
36:3a:c8:35:e1:3a:fc:a7:75:57:af:d1:da:ed:a1:9b:11:06:
f2:33:2c:f4:68:a6:81:76:e6:02:f8:eb:57:8e:00:b7:96:fa:
91:ae:30:24:97:a5:4a:62:a9:ec:f2:d2:2a:30:47:6f:ac:da:
27:8c:84:d6:10:ac:53:55:ec:e7:a7:8c:c0:5f:94:f0:a0:ec:
3d:00:76:fd:66:3a:70:4e:e9:e8:1d:1e:b4:88:cd:ab:27:2b:
d0:4e:73:ba:45:b4:7b:75:fc:c1:cb:0b:f6:d4:9e:f8:87:c4:
d8:8e:b3:3b:95:be:44:c9:6f:6a:b6:a9:7f:4f:ea:8b:17:67:
d3:c9:97:89:53:72:dc:1f:84:4d:fd:62:0f:8c:a6:93:81:00:
60:10:ec:de:ab:07:db:fd:76:20:01:b0:00:2f:be:00:65:15:
b5:9c:43:55:f8:22:3e:98:22:bf:eb:67:5e:59:de:fc:94:a2:
bd:7c:c2:62:78:f7:28:17:ba:af:95:36:48:92:f8:61:4f:72:
20:47:c7:09:81:d7:a1:0e:50:e8:ed:61:2e:b1:aa:34:af:05:
a9:cf:63:fe:20:6e:d4:16:93:89:43:15:88:5b:7f:e4:95:32:
a2:6a:2c:9a:de:53:15:21:b7:91:09:54:a0:57:ad:60:54:2b:
4c:95:74:75:fe:d8:45:ed:77:b1:49:f0:6a:71:c5:82:ee:f5:
4f:59:b3:c9:4c:a0:16:95:89:b6:bc:2e:87:15:3d:97:cb:1d:
e3:1b:b9:04:fd:51:fb:a9:df:14:32:39:47:a7:01:ba:c9:1b:
70:3f:0c:15:92:9b:c8:ba:30:63:ac:54:0a:d5:84:8d:1a:cf:
35:13:e7:75:15:08:8a:01:c1:de:ac:9f:ac:1c:93:8e:2b:42:
8d:10:83:32:5a:3a:87:27:de:0a:a3:ef:0f:f4:03:d9:30:8b:
ab:58:3b:9b:cf:0e:4a:42:02:6e:2e:b7:ae:8e:17:99:0a:d0:
1a:ba:e0:f2:4d:5b