HP Open Source Security for OpenVMS Volume 2: HP SSL for OpenVMS > OpenSSL Command Line Interface (CLI) Reference


  Table of Contents



crl — CRL utility


openssl crl [-inform PEM|DER] [-outform PEM|DER] [-text] [-in filename] [-out filename] [-noout] [-hash] [-issuer] [-lastupdate] [-nextupdate] [-CAfile file] [-CApath dir]


The crl command processes CRL files in DER or PEM format.


  • -inform DER|PEM

    This specifies the input format. DER format is DER encoded CRL structure. PEM (the default) is a base64 encoded version of the DER form with header and footer lines.

  • -outform DER|PEM

    This specifies the output format, the options have the same meaning as the -inform option.

  • -in filename

    This specifies the input filename to read from or standard input if this option is not specified.

  • -out filename

    specifies the output filename to write to or standard output by default.

  • -text

    print out the CRL in text form.

  • -noout

    don't output the encoded version of the CRL.

  • -hash

    output a hash of the issuer name. This can be use to lookup CRLs in a directory by issuer name.

  • -issuer

    output the issuer name.

  • -lastupdate

    output the lastUpdate field.

  • -nextupdate

    output the nextUpdate field.

  • -CAfile file

    verify the signature on a CRL by looking up the issuing certificate in file

  • -CApath dir

    verify the signature on a CRL by looking up the issuing certificate in dir. This directory must be a standard certificate directory: that is a hash of each subject name (using x509 -hash) should be linked to each certificate.


The PEM CRL format uses the header and footer lines:

 -----BEGIN X509 CRL-----
-----END X509 CRL-----


Convert a CRL file from PEM to DER:

 openssl crl -in crl.pem -outform DER -out crl.der

Output the text form of a DER encoded certificate:

 openssl crl -in crl.der -text -noout


Ideally it should be possible to create a CRL using appropriate options and files too.


crl2pkcs7(1), ca(1), x509(1)