Posted at: 2018-04-06 04:42:35  Category: memo


CRL Distribution PointsからDER形式のCRLをダウンロードして、
CRLの中身をopensslで確認してみます。CRL Distribution Pointsとは、下記の記載のことです。
・・・省略・・・

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/sha2-ev-server-g2.crl
Full Name:
URI:http://crl4.digicert.com/sha2-ev-server-g2.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.2.1
CPS: https://www.digicert.com/CPS
Policy: 2.23.140.1.1
・・・省略・・・
あなたとCRL、今すぐダウンロード。
$ wget http://crl3.digicert.com/sha2-ev-server-g2.crl
中身をみてみます。
$ openssl crl -inform DER -in sha2-ev-server-g2.crl -text -noout

Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
Last Update: Apr 4 17:04:34 2018 GMT
Next Update: Apr 11 17:00:00 2018 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:3D:D3:50:A5:D6:A0:AD:EE:F3:4A:60:0A:65:D3:21:D4:F8:F8:D6:0F

X509v3 CRL Number:
297
X509v3 Issuing Distrubution Point: critical
Full Name:
URI:http://crl3.digicert.com/sha2-ev-server-g2.crl

Revoked Certificates:
Serial Number: 0E6661714B51D961E7CC9F98898D3B09
Revocation Date: Jun 13 19:44:41 2017 GMT
Serial Number: 0C739DEE06FCE885BCB5470C18F593B2
Revocation Date: Jun 14 13:54:24 2017 GMT
Serial Number: 0AE90F05DED223B48FBD2978F54F2229
Revocation Date: Jun 15 18:00:13 2017 GMT
・・・省略(失効された証明書のシリアル番号がいっぱい)・・・
Signature Algorithm: sha256WithRSAEncryption
28:1c:4a:ad:de:4e:24:cb:14:3a:33:52:6d:19:12:31:66:09:
64:6c:07:08:10:a8:3e:43:46:85:52:0d:c5:e0:26:0a:3e:a0:
ca:f6:bc:3f:1b:eb:22:99:b0:30:d1:54:64:e8:69:cf:12:98:
9c:b4:60:f9:24:45:d9:74:d5:f9:52:9f:7c:cc:e9:f0:de:89:
55:0f:6e:54:6a:16:49:05:e0:35:7d:36:39:74:3b:bb:3d:37:
a8:a8:f0:de:13:d3:dc:3c:a8:09:df:a6:34:c5:a6:fb:e2:76:
d9:1a:ea:a8:87:50:36:ee:3f:8f:84:68:21:9a:79:78:fd:4d:
f6:b9:ae:16:93:87:bf:12:d1:9d:5f:81:ed:94:25:38:89:e6:
26:1f:aa:b1:70:8e:4c:3c:b8:ee:1d:49:ed:76:6b:74:78:b0:
2d:d2:83:54:e1:fc:0f:1f:74:03:55:57:b3:5c:be:4b:88:6e:
91:22:71:84:cc:39:af:4d:f8:a6:29:b3:de:8e:61:57:b5:35:
12:6e:9f:a3:66:ea:3a:33:48:7e:97:37:5d:1c:ac:58:d6:06:
e9:c8:a8:ee:b4:34:44:4c:4e:52:85:af:00:56:89:a2:ae:d6:
c6:e2:1b:6b:2a:aa:32:57:a1:b2:4c:89:ae:7f:2e:8f:30:69:
21:23:ef:8c
五千件程度のEV証明書が失効されてました。

標準出力せずに、PEMに変換する方法は次のコマンドで
openssl crl -inform DER -in sha2-ev-server-g2.crl -outform PEM