1=pod 2 3=head1 NAME 4 5crl - CRL utility 6 7=head1 SYNOPSIS 8 9B<openssl> B<crl> 10[B<-inform PEM|DER>] 11[B<-outform PEM|DER>] 12[B<-text>] 13[B<-in filename>] 14[B<-out filename>] 15[B<-nameopt option>] 16[B<-noout>] 17[B<-hash>] 18[B<-issuer>] 19[B<-lastupdate>] 20[B<-nextupdate>] 21[B<-CAfile file>] 22[B<-CApath dir>] 23 24=head1 DESCRIPTION 25 26The B<crl> command processes CRL files in DER or PEM format. 27 28=head1 COMMAND OPTIONS 29 30=over 4 31 32=item B<-inform DER|PEM> 33 34This specifies the input format. B<DER> format is DER encoded CRL 35structure. B<PEM> (the default) is a base64 encoded version of 36the DER form with header and footer lines. 37 38=item B<-outform DER|PEM> 39 40This specifies the output format, the options have the same meaning as the 41B<-inform> option. 42 43=item B<-in filename> 44 45This specifies the input filename to read from or standard input if this 46option is not specified. 47 48=item B<-out filename> 49 50specifies the output filename to write to or standard output by 51default. 52 53=item B<-text> 54 55print out the CRL in text form. 56 57=item B<-nameopt option> 58 59option which determines how the subject or issuer names are displayed. See 60the description of B<-nameopt> in L<x509(1)|x509(1)>. 61 62=item B<-noout> 63 64don't output the encoded version of the CRL. 65 66=item B<-hash> 67 68output a hash of the issuer name. This can be use to lookup CRLs in 69a directory by issuer name. 70 71=item B<-hash_old> 72 73outputs the "hash" of the CRL issuer name using the older algorithm 74as used by OpenSSL versions before 1.0.0. 75 76=item B<-issuer> 77 78output the issuer name. 79 80=item B<-lastupdate> 81 82output the lastUpdate field. 83 84=item B<-nextupdate> 85 86output the nextUpdate field. 87 88=item B<-CAfile file> 89 90verify the signature on a CRL by looking up the issuing certificate in 91B<file> 92 93=item B<-CApath dir> 94 95verify the signature on a CRL by looking up the issuing certificate in 96B<dir>. This directory must be a standard certificate directory: that 97is a hash of each subject name (using B<x509 -hash>) should be linked 98to each certificate. 99 100=back 101 102=head1 NOTES 103 104The PEM CRL format uses the header and footer lines: 105 106 -----BEGIN X509 CRL----- 107 -----END X509 CRL----- 108 109=head1 EXAMPLES 110 111Convert a CRL file from PEM to DER: 112 113 openssl crl -in crl.pem -outform DER -out crl.der 114 115Output the text form of a DER encoded certificate: 116 117 openssl crl -in crl.der -text -noout 118 119=head1 BUGS 120 121Ideally it should be possible to create a CRL using appropriate options 122and files too. 123 124=head1 SEE ALSO 125 126L<crl2pkcs7(1)|crl2pkcs7(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)> 127 128=cut 129