How to extract CRL location from x509 certificate using OpenSSL utility

Question

I need to extract the crl location from a certificate authority so I can use that in verifying certificates. Is this possible using the openssl utility other than using the -text option and attempting to parse the output (which seems prone to vulnerabilities)?

Patrick Mevzek · Answer 1 · 2018-09-28T16:42:15.603

Still kind of parsing, but at least more precise than with x509. It needs to be improved to better take into account lists, the cut -b21- is really a shortcut in case of simple 1 element list.

openssl asn1parse -in whatever.crt | grep -A 1 'X509v3 CRL Distribution Points' | tail -1 | cut -d: -f 4 | cut -b21- | perl -ne 's/(..)/print chr(hex($1))/ge; END {print "\n"}'
http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl

compared to:

openssl x509 -text -in whatever.crt |grep -A4 'CRL Distribution Points'
        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl

Or using any kind of programming language you could have something close, depending on how much the underlying libraries decode things for you:

php -r '$cert = file_get_contents("whatever.crt"); $ssl = openssl_x509_parse($cert); print_r($ssl["extensions"]["crlDistributionPoints"]);'

Full Name:
  URI:http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl

score 2 · Accepted Answer · answered Jul 06 '12 at 16:16

2

openssl x509 has some switches to control the formatting of the output and it's possible to not display some fields, but getting just the CRL location does not seem to be possible.

It seems you're bound to parse the output.

answered Jul 06 '12 at 16:16

Gnarfoz

717
4
10

There is not only `x509` in `openssl` toolkit. – Patrick Mevzek Sep 28 '18 at 16:26

How to extract CRL location from x509 certificate using OpenSSL utility

2 Answers2