Given an X509 certificate revocation list in PEM format, how do I convert that to a list of serial numbers of revoked certificates?

Question

I am in C#, but I can also do this task manually on the command line if need be.

I have an X509 certificate revocation list in PEM format, generated by an HSM (hardware security module). Using openssl from a command line, I can see that the PEM file contains a collection of certificate serial numbers. I want to extract these serial numbers.

• I have tried BouncyCastle, but the class X509Crl only exposes a method IsRevoked that takes an X509Certificate and returns a boolean. It refuses to give me the list of serial numbers.
• I have looked at PKISolutions/pkix.net, but I cannot find any NuGet of it.
• I have looked at Systems.Format.Asn1.AsnDecoder, but I don't understand how to use it.¨

Here is an example of my raw PEM:

-----BEGIN X509 CRL-----
MIIBcjCB+AIBATAKBggqhkjOPQQDAjBHMRwwGgYDVQQDDBMzU2hhcGUgS01TIFJv
b3QgMDAxMRYwFAYDVQQLDA1Ob25wcm9kdWN0aW9uMQ8wDQYDVQQKDAYzU2hhcGUX
DTIyMDkyMTE1NTA0OFoXDTI3MDkyMDE1NTA0OFowTjAlAhQbNlLUqfFJRnPUKF9N
gTAsM4lFOBcNMjIwOTIxMTU0OTI1WjAlAhQbNlLUqfFJRnPUKF9NgTAsM4lFORcN
MjIwOTIxMTU1MDQ4WqAwMC4wHwYDVR0jBBgwFoAUJlmqlqHSmhcu0m7aSgroirdg
dWYwCwYDVR0UBAQCAhABMAoGCCqGSM49BAMCA2kAMGYCMQCDRejYgOYC8zC91vqm
4D9X4H3IEjKQKfO3vQFd8iE4Q6ao+dBeIZ342nhosnePVxMCMQCHRXwB3eOkIv7u
1gzDvu9bXlsWNG8cgR5coTd0re/zRqN7cXuDlkR+h2mQdb0p/Eg=
-----END X509 CRL-----

Using openssl on a command line I can get this:

PS E:\Raven\2022-09-21> openssl crl -in E:\Raven\2022-09-21\3shape_kms_intermediate_crl_nonproduction_001-003.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = 3Shape KMS Root 001, OU = Nonproduction, O = 3Shape
        Last Update: Sep 21 15:50:48 2022 GMT
        Next Update: Sep 20 15:50:48 2027 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:26:59:AA:96:A1:D2:9A:17:2E:D2:6E:DA:4A:0A:E8:8A:B7:60:75:66

            X509v3 CRL Number:
                4097
Revoked Certificates:
    Serial Number: 1B3652D4A9F1494673D4285F4D81302C33894538
        Revocation Date: Sep 21 15:49:25 2022 GMT
    Serial Number: 1B3652D4A9F1494673D4285F4D81302C33894539
        Revocation Date: Sep 21 15:50:48 2022 GMT
    Signature Algorithm: ecdsa-with-SHA256
         30:66:02:31:00:83:45:e8:d8:80:e6:02:f3:30:bd:d6:fa:a6:
         e0:3f:57:e0:7d:c8:12:32:90:29:f3:b7:bd:01:5d:f2:21:38:
         43:a6:a8:f9:d0:5e:21:9d:f8:da:78:68:b2:77:8f:57:13:02:
         31:00:87:45:7c:01:dd:e3:a4:22:fe:ee:d6:0c:c3:be:ef:5b:
         5e:5b:16:34:6f:1c:81:1e:5c:a1:37:74:ad:ef:f3:46:a3:7b:
         71:7b:83:96:44:7e:87:69:90:75:bd:29:fc:48

Those serial numbers are what I want to extract. How can I do that, either in C# or on the command line?

Answer 1

This is not an answer but it may help. If you have OpenSSL then you can use a command like the following in terminal :

openssl x509 -noout -in fullceticatefilename -serial