A Certificate Revocation List (CRL) is a list of certificates that have been revoked. This list contains, more exactly, the serial numbers of the certificates which have been revoked together with other information such as revocation date and additional extensions which contain more details about the revoked certificates and the revocation reasons. The CRL also contains some global information attributes such as the version, signature algorithm, issuer name, issue date of the CRL and next update date.
The most common type of Certificate Revocation Lists is X.509 v2 and are usually encoded in DER (binary) or PEM (text) formats.
An example of a PEM encoded CRL can be seen below:
-----BEGIN X509 CRL----- MIIDFDCCAfwCAQEwDQYJKoZIhvcNAQEFBQAwXzEjMCEGA1UEChMaU2FtcGxlIFNp Z25lciBPcmdhbml6YXRpb24xGzAZBgNVBAsTElNhbXBsZSBTaWduZXIgVW5pdDEb MBkGA1UEAxMSU2FtcGxlIFNpZ25lciBDZXJ0Fw0xMzAyMTgxMDMyMDBaFw0xMzAy MTgxMDQyMDBaMIIBNjA8AgMUeUcXDTEzMDIxODEwMjIxMlowJjAKBgNVHRUEAwoB AzAYBgNVHRgEERgPMjAxMzAyMTgxMDIyMDBaMDwCAxR5SBcNMTMwMjE4MTAyMjIy WjAmMAoGA1UdFQQDCgEGMBgGA1UdGAQRGA8yMDEzMDIxODEwMjIwMFowPAIDFHlJ Fw0xMzAyMTgxMDIyMzJaMCYwCgYDVR0VBAMKAQQwGAYDVR0YBBEYDzIwMTMwMjE4 MTAyMjAwWjA8AgMUeUoXDTEzMDIxODEwMjI0MlowJjAKBgNVHRUEAwoBATAYBgNV HRgEERgPMjAxMzAyMTgxMDIyMDBaMDwCAxR5SxcNMTMwMjE4MTAyMjUxWjAmMAoG A1UdFQQDCgEFMBgGA1UdGAQRGA8yMDEzMDIxODEwMjIwMFqgLzAtMB8GA1UdIwQY MBaAFL4SAcyq6hGA2i6tsurHtfuf+a00MAoGA1UdFAQDAgEDMA0GCSqGSIb3DQEB BQUAA4IBAQBCIb6B8cN5dmZbziETimiotDy+FsOvS93LeDWSkNjXTG/+bGgnrm3a QpgB7heT8L2o7s2QtjX2DaTOSYL3nZ/Ibn/R8S0g+EbNQxdk5/la6CERxiRp+E2T UG8LDb14YVMhRGKvCguSIyUG0MwGW6waqVtd6K71u7vhIU/Tidf6ZSdsTMhpPPFu PUid4j29U3q10SGFF6cCt1DzjvUcCwHGhHA02Men70EgZFADPLWmLg0HglKUh1iZ WcBGtev/8VsUijyjsM072C6Ut5TwNyrrthb952+eKlmxLNgT0o5hVYxjXhtwLQsL 7QZhrypAM1DLYqQjkiDI7hlvt7QuDGTJ -----END X509 CRL-----
CERTivity allows opening Certificate Revocation Lists which are stored in local files, or from a remote location, using a given URL address which identifies the location of a CRL. To open a CRL the following actions have to be performed:
For a CRL stored in a local file: Click on
Menu File > Open > Open CRL > From
File
. A file chooser will appear allowing to select one or more CRL
files (having either .crl
or .pem
extension). If a CRL that has to be opened
has a different extension, an "All files" filter is available in the file chooser which
allows selecting any file. After selecting one or more files, press Open, and each
selected CRL will be opened in a different tab which will display the content details of
the CRL. There is also drag and drop support for CRL files on Microsoft Windows and
Linux platforms.
For a CRL from a remote
location: Click on Menu File
> Open > Open CRL > From URL
. A dialog
will appear requesting to enter the URL of the CRL. The CRL found at
the location denoted by the given URL will be opened into a new tab.
If the CRL is large, a progress bar will be displayed on the status
bar until the CRL content is retrieved from the remote location. If
the URL is invalid, an error message will be displayed informing
that, and the user can enter another URL.
The dialog for entering the URL can be seen below:
After opening and closing more Certificate Revocation Lists, the
most recently used CRLs can be found using Menu File > Open Recent File
. For
the CRLs which were opened from local files the entire file path will be
displayed in the menu that appears, while for the the ones opened from
URLs, the URL will be displayed. A simple click on the desired CRL in
the menu, will open it in a new tab. If the CRL has been already opened,
the CRL's tab will be activated.
CERTivity displays the content of the CRL using a tree like structure for each field or group of fields of the CRL as it can be seen in the screenshot below:
Each node of the CRL tree contains the name of the field and its
value in brackets, if the value is short enough to be displayed, like
for Type
, Version
, This Update
, Next Update
.
For each selected node in the CRL tree, the content of the selected node will be displayed in the right panel. When the root of the tree is selected (selected by default when opening the CRL), the right panel will display the entire content of the CRL (as it can be seen in the example screenshot from above).
In this full display mode (selecting the root node of the tree),
the ASN.1 representation and the CRL extensions are not displayed by
default but the user can make them visible by clicking on the ASN.1
and Extensions
buttons, which will
expand the panel with the corresponding additional content.
Also, when the root
node
of the CRL tree is selected, the revoked
certificates are displayed at the bottom of the right panel as a list
containing for each revoked certificate the Serial Number
, Revocation Date
, and Extensions
. The Extensions column
displays informations only about the number of extensions if the revoked
certificate has extensions. To view the extensions of a certain revoked
certificate, select the corresponding row of the table, and an
additional panel will appear at the bottom of the table containing
details about the extensions of the selected revoked certificate. The
names of the available extensions of a revoked certificate can be viewed
faster in the tooltip which appears when positioning the cursor over the
revoked certificate row.
The same view of the revoked certificates and their extensions
can be obtained by selecting the Revoked
Certificates List node
from the tree, as it can be
seen in the screenshot below:
If the revoked Certificates List node is expanded, each revoked
certificate can be visible as a child node, which can also be expanded
further to see the fields of the Revoked Certificate (Serial
Number
, Revocation Date
or Extensions
).
If the Revoked Certificate
node is selected, the right
panel will display the fields contained by the selected revoked
certificate, as it can be seen below:
The extensions of the revoked certificate can also be seen by clicking the Extensions button, which will trigger the displaying of the revoked certificate's extensions. Also, each field of the revoked certificate including the extensions, can be seen individually by selecting the corresponding field in the child nodes of the revoked certificate in the CRL tree.
The CRL Viewer from CERTivity allows viewing the content of the following CRL fields:
Type
The type of the CRL. In most cases, this is X.509;
Version
The version of the CRL. In most cases, the version is 2;
This
Update
This field indicates the issue date of the current CRL;
Next
Update
This field indicates the date by which the next CRL will be issued. As mentioned in RFC 5280, the next CRL could be issued before the indicated date, but it will not be issued any later than the indicated date.
When displaying this field is selected in the CRL tree and is displayed on the panel in the right side, the date held by it is verified against the current date, and if the date is exceeded, a red notice message will be displayed under the field as a reminder that maybe a newer CRL has been issued;
Signature
Algorithm
The algorithm that was used for the signature of the current CRL;
Issuer
The name of the entity that signed and issued the CRL. In
this field, the issuer identity is carried. Alternative name forms
may also appear in the Iissuer Alternative Name
extension.
The value of this field is not displayed entirely in the CRL tree next to the node between brackets, only a part of it is shown. The full issuer details can be seen in the right panel when clicking on the node;
Extensions
The extensions of the CRL. According to the RFC 5280, this field may only appear if the version is 2. If present, this field contains one or more CRL extensions.
The value of this field is not displayed entirely next to the node between brackets. Only the number of extensions is displayed. The full details about the extensions can be seen in the right panel when clicking in the extensions node;
Revoked
Certificates
This field contains the list of revoked certificates. When there are no revoked certificates, this list is absent.
The revoked certificates are displayed as child nodes of
this CRL tree node. The Revoked Certificates List
node on its own displays only the number of revoked certificates.
Also, the list of revoked certificates can be seen in the right
panel by clicking on the Revoked Certificates List
node.
The CRL tree contains one more node, ASN.1
, which contains the ASN.1
representation of the current CRL. The value of this node can be
viewed in the right panel when it is selected.
CRL extensions provide methods for associating additional attributes with CRLs. These extensions can be marked as critical or non-critical.
CERTivity can display the following CRL extensions, defined in the RFC 5280:
Authority Key
Identifier
This extension provides a means of identifying the public key corresponding to the private key used to sign a CRL;
Issuer Alternative
Name
This extension allows additional identities to be associated with the issuer of the CRL;
CRL
Number
This extension contains a monotonically increasing sequence number for a given CRL scope and CRL issuer. This extension allows users to easily determine when a particular CRL superseedes another CRL. CRL numbers also support the identification of complementary complete CRLs and delta CRLs;
Delta CRL
Indicator
The delta CRL indicator identifies the CRL as being a delta CRL. Delta CRLs contain updates to revocation information previously distributed rather than all the information that would appear in a complete CRL;
Issuing Distribution
Point
This extension identifies the CRL distribution point and scope for a particular CRL and it indicates wether the CRL covers revocation for end entity certificates only, CA certificates only, attribute certificates only or a limited set of reason codes;
Freshest CRL
(or Delta CRL Distribution
Point
)
This extension identifies how delta CRL information for this complete CRL is obtained.
Authority Information
Access
This extension defines the use of the Authority Information Access extension in a CRL.
Also, the following CRL Entry extensions can be displayed by CERTivity:
Reason
Code
This extension identifies the reason for the certificate revocation. The possible reason codes are:
unspecified;
keyCompromise;
cACompromise;
affiliationChanged;
superseded;
cessationOfOperation;
certificateHold;
removeFromCRL;
privilegeWithdrawn;
aACompromise.
Invalidity
Date
This extension provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid. This date may be earlier than the revocation date in the CRL entry;
Certificate
Issuer
This extension identifies the certificate issuer associated with an entry in an
indirect CRL, that is, a CRL that has the indirectCRL
indicator set in
its issuing distribution point extension. When present, the certificate issuer CRL
entry extension includes one or more names from the issuer field and/or issuer
alternative name extension of the certificate that corresponds to the CRL
entry.
More information about the CRL and CRL Entry extensions can be found in the RFC 5280.
The revoked certificates (if present) can be viewed in CERTivity
either by selecting the Revoked Certificates List node
,
which will display a table in the right panel containing the
information about these certificates, either by expanding the
Revoked Certificates List node
and selecting its child
nodes, which will display the available fields of the revoked
certificate in the right panel. Also, each revoked certificate node
can be expanded to see individual fields.
For a revoked certificate, the following fields will be displayed:
Serial
number;
Revocation
Date;
Extensions.
The number of revoked certificates present in the CRL can be
seen next to the Revoked Certificates List
node, in
brackets.