118 lines
2.1 KiB
Plaintext
118 lines
2.1 KiB
Plaintext
|
=pod
|
||
|
|
||
|
=head1 NAME
|
||
|
|
||
|
crl - CRL utility
|
||
|
|
||
|
=head1 SYNOPSIS
|
||
|
|
||
|
B<openssl> B<crl>
|
||
|
[B<-inform PEM|DER>]
|
||
|
[B<-outform PEM|DER>]
|
||
|
[B<-text>]
|
||
|
[B<-in filename>]
|
||
|
[B<-out filename>]
|
||
|
[B<-noout>]
|
||
|
[B<-hash>]
|
||
|
[B<-issuer>]
|
||
|
[B<-lastupdate>]
|
||
|
[B<-nextupdate>]
|
||
|
[B<-CAfile file>]
|
||
|
[B<-CApath dir>]
|
||
|
|
||
|
=head1 DESCRIPTION
|
||
|
|
||
|
The B<crl> command processes CRL files in DER or PEM format.
|
||
|
|
||
|
=head1 COMMAND OPTIONS
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item B<-inform DER|PEM>
|
||
|
|
||
|
This specifies the input format. B<DER> format is DER encoded CRL
|
||
|
structure. B<PEM> (the default) is a base64 encoded version of
|
||
|
the DER form with header and footer lines.
|
||
|
|
||
|
=item B<-outform DER|PEM>
|
||
|
|
||
|
This specifies the output format, the options have the same meaning as the
|
||
|
B<-inform> option.
|
||
|
|
||
|
=item B<-in filename>
|
||
|
|
||
|
This specifies the input filename to read from or standard input if this
|
||
|
option is not specified.
|
||
|
|
||
|
=item B<-out filename>
|
||
|
|
||
|
specifies the output filename to write to or standard output by
|
||
|
default.
|
||
|
|
||
|
=item B<-text>
|
||
|
|
||
|
print out the CRL in text form.
|
||
|
|
||
|
=item B<-noout>
|
||
|
|
||
|
don't output the encoded version of the CRL.
|
||
|
|
||
|
=item B<-hash>
|
||
|
|
||
|
output a hash of the issuer name. This can be use to lookup CRLs in
|
||
|
a directory by issuer name.
|
||
|
|
||
|
=item B<-issuer>
|
||
|
|
||
|
output the issuer name.
|
||
|
|
||
|
=item B<-lastupdate>
|
||
|
|
||
|
output the lastUpdate field.
|
||
|
|
||
|
=item B<-nextupdate>
|
||
|
|
||
|
output the nextUpdate field.
|
||
|
|
||
|
=item B<-CAfile file>
|
||
|
|
||
|
verify the signature on a CRL by looking up the issuing certificate in
|
||
|
B<file>
|
||
|
|
||
|
=item B<-CApath dir>
|
||
|
|
||
|
verify the signature on a CRL by looking up the issuing certificate in
|
||
|
B<dir>. This directory must be a standard certificate directory: that
|
||
|
is a hash of each subject name (using B<x509 -hash>) should be linked
|
||
|
to each certificate.
|
||
|
|
||
|
=back
|
||
|
|
||
|
=head1 NOTES
|
||
|
|
||
|
The PEM CRL format uses the header and footer lines:
|
||
|
|
||
|
-----BEGIN X509 CRL-----
|
||
|
-----END X509 CRL-----
|
||
|
|
||
|
=head1 EXAMPLES
|
||
|
|
||
|
Convert a CRL file from PEM to DER:
|
||
|
|
||
|
openssl crl -in crl.pem -outform DER -out crl.der
|
||
|
|
||
|
Output the text form of a DER encoded certificate:
|
||
|
|
||
|
openssl crl -in crl.der -text -noout
|
||
|
|
||
|
=head1 BUGS
|
||
|
|
||
|
Ideally it should be possible to create a CRL using appropriate options
|
||
|
and files too.
|
||
|
|
||
|
=head1 SEE ALSO
|
||
|
|
||
|
L<crl2pkcs7(1)|crl2pkcs7(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)>
|
||
|
|
||
|
=cut
|