Overview

WebADM infrastructure comes up with OCSP (Online Certificate Status Protocol) and CRLs (Certificate Revocation Lists) which are two methods used to check the revocation status of digital certificates.
OCSP allows for real-time certificate status checking by querying a certificate authority's OCSP server, while CRLs provide a list of revoked certificates that is periodically published by the CA. Both methods are used to verify that a certificate is still valid and has not been revoked. OCSP is considered to be more secure and efficient, as it allows for real-time checking, while CRLs rely on a regularly-updated list which can be out of date.

Endpoints and publication

These 2 endpoints are local URLs which are automatically published on WAProxy or another reverse proxy if WAProxy or a reverse proxy is configured with your WebADM infrastructure.

The default URLs when there is no WAProxy or reverse proxy configured are:

  • http://webadm_server/ocsp/
  • http://webadm_server/crl/

When WAProxy/Reverse Proxy servers are configured, the URLs are:

  • http://public_hostname/ocsp/
  • http://public_hostname/crl/

The public hostname is a setting configurable in /opt/webadm/conf/webadm.conf with the directive public_hostname:

public_hostname "waproxy.rcdevsdocs.com"

OCSP Check

The OpenSSL command can be utilized to verify certificate revocation status using the OCSP service:

openssl ocsp -issuer ca.crt -cert johndoe.crt -text -url http://webadm1.rcdevsdocs.com/ocsp/ -header "HOST"="webadm1.rcdevsdocs.com"

Valid certificate

For a valid certificate, the aforementioned OpenSSL command will yield the following result (status: good):

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: B1898F8D6DE91859F6CA87B4EA18A70E4231A3A9
          Issuer Key Hash: BAC6DDBC32CE57DECE3FC9ED4E8D0867BFA9F08C
          Serial Number: AD9DBEC023CB7C50047DDF178164097F
    Request Extensions:
        OCSP Nonce: 
            04101E8F6CE17FBEB7F5F3B07A4D3A0F0811
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: CN = RCDevs Documentation CA, OU = IT, O = RCDevs SA, C = LU
    Produced At: Dec 13 14:32:53 2023 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: B1898F8D6DE91859F6CA87B4EA18A70E4231A3A9
      Issuer Key Hash: BAC6DDBC32CE57DECE3FC9ED4E8D0867BFA9F08C
      Serial Number: AD9DBEC023CB7C50047DDF178164097F
    Cert Status: good
    This Update: Dec 13 14:32:53 2023 GMT

    Response Extensions:
        OCSP Nonce: 
            04101E8F6CE17FBEB7F5F3B07A4D3A0F0811
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        6e:c1:8c:a3:03:ba:4b:4c:4f:d0:73:92:9f:8e:c8:9e:2b:d2:
        25:01:e2:f5:15:da:7e:a7:0e:52:66:39:18:d0:86:be:f7:38:
        d1:09:bc:a4:2b:c7:e6:bc:96:23:a0:10:72:bf:45:b3:1e:78:
        80:2a:ea:6c:bd:22:bd:28:77:9b:c1:c9:de:5e:9e:f2:6c:d6:
        7f:65:a8:15:7c:28:97:a3:dd:4b:3c:d3:79:03:09:ab:c7:90:
        2f:4f:de:f6:f4:05:7f:69:5d:80:20:42:6c:0e:cc:b9:ea:29:
        7f:9f:b9:27:90:27:10:35:35:7d:2c:83:be:fb:0d:a8:4a:79:
        0a:5d:64:dd:ed:1b:a3:c1:49:0c:64:8b:c8:6e:4a:54:f0:6c:
        16:0c:4f:78:12:fe:df:5f:e8:42:eb:97:66:7b:91:4c:0e:51:
        59:7b:13:5b:26:38:a7:10:ca:19:0d:cc:43:20:82:5a:8f:ec:
        40:c2:e6:f7:a0:38:1d:5c:44:2c:62:3b:3e:2e:c3:e6:90:cd:
        d6:8e:e5:c6:b5:04:10:ca:b9:3f:7e:cb:54:fb:30:b9:ec:d0:
        b3:7c:42:79:6f:3c:83:ce:23:9e:9f:45:0f:66:f1:f5:be:ab:
        af:4b:b3:4d:ec:c9:d8:9c:30:8d:42:87:c9:b7:55:3b:d8:2a:
        c1:5a:7a:27:77:45:b0:a4:de:30:a8:cc:62:d2:50:35:d7:2d:
        bd:93:66:a4:d5:cd:62:a8:f1:ba:d0:1f:1e:c3:df:07:81:3e:
        fd:8b:7b:1c:a5:6b:44:df:7f:eb:71:26:70:48:85:a9:37:29:
        ff:23:dd:f8:fa:65:59:4a:9c:ea:f9:7c:88:8d:32:c7:75:2e:
        f9:b5:66:db:1c:b9:95:67:89:86:bf:36:18:86:ba:d4:7c:d6:
        fa:17:ac:ac:82:be:74:35:42:35:0f:0a:ef:cf:07:9f:d6:8e:
        6c:93:eb:68:11:4b:5a:7c:2f:1a:ec:90:fb:b6:90:2b:12:28:
        a8:87:f8:1d:95:ab:b5:d6:e0:8a:a4:ab:c6:2b:7e:7f:9d:14:
        f3:24:ae:46:eb:af:ac:8f:0d:43:a4:f5:3c:15:34:8e:74:9d:
        05:a9:11:37:76:f5:91:00:b1:e6:0f:8e:40:ce:38:e2:7e:8f:
        0f:ee:1a:42:53:77:ac:63:4d:00:5f:74:d1:bb:39:e8:be:93:
        b1:37:28:04:cd:ea:1a:4e:8a:ba:05:ea:a6:bc:f4:3c:54:a3:
        72:18:98:ad:3b:e9:74:a2:a6:d6:26:cc:e9:00:85:d2:18:b2:
        f0:97:3c:c6:c3:5b:92:3b:11:dd:0e:c6:1c:db:b4:da:65:98:
        20:a0:ed:65:20:3e:f5:ec
Response verify OK
johndoe.crt: good
        This Update: Dec 13 14:32:53 2023 GMT

Below, the WebADM logs regarding the previous request:

[2023-12-13 15:32:53] [192.168.3.205:63375] New OCSP request for serial: 230775502758290284840807186191261895039
[2023-12-13 15:32:53] [192.168.3.205:63375] > Issuer Hash: b1898f8d6de91859f6ca87b4ea18a70e4231a3a9 (SHA1)
[2023-12-13 15:32:53] [192.168.3.205:63375] Returning OCSP response 'Good'

Revoked certificate

A certificate is deemed revoked for the following reasons:

  • User certificate: Certificate not existing on the user account.
  • Client certificate: Certificate marked as Revoked in the SQL database or removed from the SQL database.
  • Server certificate: Certificate marked as Revoked in the SQL database or removed from the SQL database.
  • Mobile certificate: Certificate marked as Revoked in the SQL database or removed from the SQL database.

Mobile certificates used for document signing are revoked only under two conditions: if they are labeled as "Revoked" in the SQL database or if they have expired. If a certificate is still valid in terms of its expiration date but has been removed from the SQL database, it can be used during its validity period and will be automatically re-added to the SQL database. To render a mobile certificate unusable, it must be retained in the SQL database and marked as Revoked.

For a revoked certificate the OpenSSL command previously provided will return the status revoked and the revocation time:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 66B72E282CBB66675F45363B7B9667AB5F1DC68D
          Issuer Key Hash: 04405B3B546C1F93E5CF15C033D21C51A17565A3
          Serial Number: 80502E9B6C05534A965C104D6E182743
    Request Extensions:
        OCSP Nonce: 
            041029DD3F7A25F4286C09099EE96A358860
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: CN = RCDevs Documentation CA, OU = IT, O = RCDevs SA, C = LU
    Produced At: Dec 14 13:12:30 2023 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 66B72E282CBB66675F45363B7B9667AB5F1DC68D
      Issuer Key Hash: 04405B3B546C1F93E5CF15C033D21C51A17565A3
      Serial Number: 80502E9B6C05534A965C104D6E182743
    Cert Status: revoked
    Revocation Time: Dec 14 13:12:30 2023 GMT
    This Update: Dec 14 13:12:30 2023 GMT

    Response Extensions:
        OCSP Nonce: 
            041029DD3F7A25F4286C09099EE96A358860
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        79:ec:1a:84:01:67:c4:36:27:f6:26:54:c3:b6:7f:01:78:90:
        7e:3a:f0:3b:14:b5:a5:18:32:8a:66:22:5a:e2:b4:ab:85:d6:
        3d:15:68:22:b5:b1:c9:26:59:ab:d2:45:e4:07:ea:16:a4:97:
        bb:3f:27:2a:72:73:41:da:c0:74:f8:60:d3:e7:3c:ce:7c:72:
        d0:54:2d:99:61:dc:07:2e:04:a7:d3:fe:13:7b:73:9c:14:92:
        6c:ad:b9:e2:a5:3a:fb:88:db:25:97:92:66:44:47:41:7e:2c:
        4c:00:df:e2:38:d5:7a:37:9a:82:49:ab:48:53:03:41:0f:25:
        dd:35:93:54:d6:d3:da:21:a4:35:cb:d2:92:7e:a0:43:75:7b:
        6e:85:a8:1d:88:2c:2e:0f:e7:3c:0e:f7:6c:38:8e:e2:02:82:
        a7:12:37:de:75:92:c3:8d:4a:a2:b1:dc:ce:06:70:99:6d:ee:
        73:1d:1b:ef:6f:23:4b:68:28:13:c8:bf:63:ab:c2:25:d4:ba:
        0e:03:f9:62:c9:15:3e:d5:1e:ba:09:44:cf:ab:c7:9c:75:3a:
        fe:23:fd:43:bf:b4:eb:15:0f:e0:20:ca:ba:69:c3:e9:c3:0c:
        5c:d7:51:ea:4f:d9:69:3c:e4:73:be:e7:f1:79:4d:ac:25:88:
        a1:33:58:3d:51:c5:08:df:41:00:b6:89:11:b6:68:0c:23:d9:
        73:b5:ea:b9:7c:a8:87:70:cd:1a:10:af:ec:04:2d:cf:09:72:
        94:fd:c3:16:c1:4f:c7:56:a0:52:99:65:9c:36:12:1f:3d:82:
        78:27:fd:ec:8f:7e:04:6a:80:b7:4c:70:71:0a:b2:16:d0:16:
        f9:23:05:fa:de:e9:71:a9:62:49:15:3a:a7:c0:69:93:62:da:
        c1:f1:1c:50:fd:22:d1:02:47:ef:3e:21:39:18:cf:11:75:54:
        2e:d0:30:83:13:33:83:2c:cd:9a:c4:a7:77:95:0d:aa:7d:ad:
        93:ae:6e:b9:39:b0:34:b8:cf:8b:c9:1c:2b:86:1d:f9:0d:ae:
        c5:b3:b5:b3:6e:84:6e:14:bc:3e:c4:2b:fe:6e:23:76:9e:28:
        38:2c:fa:5a:a1:6a:1d:f5:82:95:8d:8a:85:c4:f8:28:dc:39:
        b3:52:2c:26:43:0f:e9:c0:21:ad:76:9a:8a:9b:b9:c3:d6:1f:
        bf:57:69:a5:0f:aa:0a:1d:14:1f:a5:09:83:04:72:be:9b:40:
        fd:84:c8:3a:85:a4:bd:ad:bd:16:8e:03:bc:eb:17:12:9a:57:
        a9:1b:07:6f:91:e0:36:33:e5:4c:d9:9b:bb:9a:c5:60:f5:ad:
        f0:b0:3a:65:e0:0f:00:8c
Response verify OK
john.doe.crt: revoked
        This Update: Dec 14 13:12:30 2023 GMT
        Revocation Time: Dec 14 13:28:22 2023 GMT

WebADM logs regarding the previous request:

[2023-12-14 14:12:30] [192.168.3.205:57252] New OCSP request for serial: 170557512513789794651896604926594787139
[2023-12-14 14:12:30] [192.168.3.205:57252] > Issuer Hash: 66b72e282cbb66675f45363b7b9667ab5f1dc68d (SHA1)
[2023-12-14 14:12:30] [192.168.3.205:57252] Returning OCSP response 'Revoked'

Certificate expired

For an expired certificate (user, client, server or mobile) available on the user account or in the SQL database (not flagged as revoked), the OpenSSL command previously provided will return the status unknown:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: B1898F8D6DE91859F6CA87B4EA18A70E4231A3A9
          Issuer Key Hash: BAC6DDBC32CE57DECE3FC9ED4E8D0867BFA9F08C
          Serial Number: 8A4F601706022C8139B0F4D9A7656BFC
    Request Extensions:
        OCSP Nonce: 
            04102F59FCB9622706FE66F3168E90E9DCE8
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: CN = RCDevs Documentation CA, OU = IT, O = RCDevs SA, C = LU
    Produced At: Dec 14 14:54:31 2023 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: B1898F8D6DE91859F6CA87B4EA18A70E4231A3A9
      Issuer Key Hash: BAC6DDBC32CE57DECE3FC9ED4E8D0867BFA9F08C
      Serial Number: 8A4F601706022C8139B0F4D9A7656BFC
    Cert Status: unknown
    This Update: Dec 14 14:54:31 2023 GMT

    Response Extensions:
        OCSP Nonce: 
            04102F59FCB9622706FE66F3168E90E9DCE8
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        53:5d:de:a6:76:12:8d:b8:53:73:3a:41:35:39:23:da:9e:13:
        fb:e5:b5:1f:62:97:9f:f3:31:6a:98:a6:5d:7a:71:e0:54:23:
        1b:07:03:0a:23:3f:83:a8:26:95:b0:ba:e4:d2:a3:f0:69:39:
        2b:99:e5:aa:9c:13:f0:1c:a8:60:fa:1a:31:1f:24:da:dd:97:
        d8:ac:60:57:ef:77:c5:0d:6c:d5:50:e8:13:0f:8a:3d:eb:e7:
        65:ac:89:93:97:d0:e3:f6:84:c4:45:7c:5e:88:05:fa:79:76:
        f8:78:90:86:f0:02:b4:e0:c4:6f:54:0c:b0:c8:95:40:1a:b3:
        46:1a:b8:b4:48:20:99:4b:80:cb:c6:3a:a6:78:cf:6c:d4:ef:
        83:fd:31:51:57:44:40:39:5e:a2:36:fd:10:b5:d3:c1:07:dd:
        72:c9:7b:88:be:40:ca:07:22:b0:37:b1:2b:59:e0:47:71:df:
        a8:eb:3e:19:87:f3:99:e5:bd:9f:7e:85:c7:bc:2a:14:13:44:
        56:25:f0:d8:6c:a3:03:52:8f:c2:d1:e0:6e:07:64:70:3f:e8:
        56:76:f0:91:7e:9b:3f:78:6d:28:41:6d:8d:cd:50:b5:7e:7a:
        f3:fd:1c:4a:85:59:db:74:df:92:15:a3:ba:8f:cf:14:4a:e2:
        12:69:f2:f6:96:1a:51:21:fa:51:f2:d9:09:8a:ae:cd:24:f3:
        73:fe:79:a2:26:b9:da:66:b1:46:26:78:69:d9:9b:91:d5:00:
        e2:cd:66:14:dd:1b:d6:a4:61:39:d1:48:71:01:33:50:ac:38:
        e5:e8:28:f2:f2:98:a6:73:bf:b6:a1:7b:a9:7c:da:be:15:40:
        3b:e0:d5:39:a1:43:58:4d:49:5c:9b:b4:b6:a1:ff:48:75:c2:
        58:84:56:c3:ef:0e:50:61:f3:08:20:0f:d1:dc:c3:8c:77:ad:
        b7:84:8a:1e:88:9d:0b:a6:ea:f4:d8:ec:d7:e3:3a:ea:28:6c:
        c1:6b:85:68:c2:5b:75:0a:d0:26:d7:ac:6d:32:be:89:5f:17:
        86:0e:46:6c:b1:d8:7d:5b:b0:af:d4:95:a3:b5:c8:4f:8f:a2:
        54:9d:30:a8:db:a0:18:78:05:4f:f9:9c:0a:c6:e0:75:42:d4:
        a7:26:d1:8b:3b:39:a3:21:87:21:90:db:68:c1:33:9b:33:f4:
        d6:fa:5c:d0:cf:d5:1a:fc:38:b4:ad:04:f6:95:9a:c1:23:f6:
        3a:b3:d7:4c:32:4f:28:42:29:78:ed:a5:0d:41:d0:ea:bc:f8:
        cd:91:55:af:f0:45:12:af:46:8e:9b:7f:6e:3e:92:6b:cc:8e:
        34:bf:eb:4e:29:6a:e9:46
Response verify OK
john.doe.crt: unknown
        This Update: Dec 14 14:54:31 2023 GMT

Below, the WebADM logs for the previous request:

[2023-12-14 15:59:18] [192.168.3.205:63898] New OCSP request for serial: 183845603805571868310299370231666404348
[2023-12-14 15:59:18] [192.168.3.205:63898] > Issuer Hash: b1898f8d6de91859f6ca87b4ea18a70e4231a3a9 (SHA1)
[2023-12-14 15:59:18] [192.168.3.205:63898] Returning OCSP response 'Unknown'

Invalid issuer (Wrong CA)

OCSP request for a certificate not issued by WebADM internal PKI will also return the unknown status:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: FEB81015ABD71BC178CBAB41E58A1AEF08454527
          Issuer Key Hash: 04405B3B546C1F93E5CF15C033D21C51A17565A3
          Serial Number: 01EE
    Request Extensions:
        OCSP Nonce: 
            0410CEE701CE0DF0A9E2101575F81D4FF751
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: CN = WebADM CA #113f15bb, O = RCDevs Testing
    Produced At: Dec 14 13:10:26 2023 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: FEB81015ABD71BC178CBAB41E58A1AEF08454527
      Issuer Key Hash: 04405B3B546C1F93E5CF15C033D21C51A17565A3
      Serial Number: 01EE
    Cert Status: unknown
    This Update: Dec 14 13:10:26 2023 GMT

    Response Extensions:
        OCSP Nonce: 
            0410CEE701CE0DF0A9E2101575F81D4FF751
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        5a:92:13:76:ae:90:56:1c:a0:b3:0d:df:27:6f:7c:b0:27:a0:
        1d:2a:a1:a4:27:2b:80:c4:79:4b:09:00:8d:3d:98:73:d8:7d:
        04:64:00:2b:11:f2:ce:89:8c:10:02:cf:61:c2:92:ee:19:89:
        8f:6f:d5:1a:dd:40:13:11:85:c5:36:ea:23:51:85:f0:b5:fc:
        16:2a:eb:1b:5f:50:86:eb:0c:26:14:6e:44:ff:f7:95:47:3a:
        19:99:8f:6b:1f:64:12:29:69:74:5b:88:61:0d:c9:b0:13:4c:
        61:e2:d7:eb:51:b5:13:d7:ac:51:89:f4:ad:67:b1:ee:bc:e1:
        cf:4b:25:f1:48:e7:ca:a3:55:50:ad:e7:8c:46:c3:f5:61:8a:
        92:dc:92:0f:b3:ca:25:54:18:eb:1a:bb:bd:14:64:c2:6a:5e:
        6e:14:d9:00:d1:70:bd:b2:79:eb:55:35:33:ce:39:83:91:63:
        4e:4b:1d:82:f6:a9:3b:3b:19:40:85:b0:32:42:7d:9a:80:f5:
        72:ba:bb:c3:7a:d0:1b:e7:44:40:01:cc:71:fb:f1:a4:28:b0:
        80:f4:82:bd:92:61:c8:9e:35:9a:ca:5a:7b:ca:5c:15:be:35:
        26:58:93:cc:3a:f7:5f:2b:d5:dd:01:97:6e:2b:9c:67:06:41:
        7a:0a:e5:c0:7b:27:03:90:f8:c9:2c:6d:1a:8d:e8:ef:0b:a3:
        75:66:c9:2f:c9:08:2d:5f:c2:67:ea:77:2d:ed:3e:1c:46:09:
        96:47:fd:d5:75:a9:d2:4a:cd:e6:52:8c:28:ef:cb:ea:5c:71:
        29:ea:81:e5:dc:a1:b7:84:05:50:80:1b:93:fe:be:18:8c:6b:
        d9:70:82:5e:0d:ec:2a:1b:5a:ca:be:0d:e2:fc:3f:14:2b:8d:
        dc:bf:ae:4c:08:9e:51:01:e5:87:0d:2e:56:b8:c1:be:f1:24:
        f7:ac:fc:cf:6b:ff:f3:4e:76:48:9c:53:c4:01:5b:b2:68:e7:
        d9:33:c3:96:a7:f7:aa:a9:f8:e7:74:03:85:39:c2:51:06:ca:
        eb:a8:86:a7:5b:03:da:b9:c2:05:52:2b:26:ee:b2:ad:bf:45:
        b5:5a:e7:82:23:9e:97:2e:0b:64:f5:e0:14:60:dc:84:16:2d:
        30:f7:55:a3:d2:57:c2:1d:b9:6d:e9:16:39:36:bf:ed:c2:15:
        81:70:3e:bc:8a:e1:1f:a8:fc:c3:0c:2c:a9:24:48:74:55:13:
        b5:1c:52:7c:f3:35:98:d0:16:3a:85:9f:8b:e0:d8:78:d4:01:
        f5:ed:22:13:fa:d7:2c:70:dd:c5:8f:d4:3b:6e:77:da:d2:2e:
        3d:b3:ee:69:0c:6d:3a:5c
Response verify OK
john.doe_wrong_CA.crt: unknown
        This Update: Dec 14 13:10:26 2023 GMT

CRL Check

he CRL endpoint can exclusively be employed for checking the revocation status of SQL-stored certificates. When using the CRL method, it is crucial to retain all revoked or expired certificates to construct the CRL with their serials.

OpenSSL can be employed to verify certificate revocation by utilizing a retrieved CRL.

The following command enables you to download the CRL from WebADM in DER format:

wget http://webadm1.rcdevsdocs.com/crl -q -O webadm1.crl.der

The following command will read the CRL file in DER format and furnish information regarding certificate revocation based on serial numbers:

openssl crl -inform DER -in webadm1.crl.der

Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=RCDevs Documentation CA,OU=IT,O=RCDevs SA,C=LU
        Last Update: Dec 14 15:45:29 2023 GMT
        Next Update: Jan 13 15:45:29 2024 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                keyid:BA:C6:DD:BC:32:CE:57:DE:CE:3F:C9:ED:4E:8D:08:67:BF:A9:F0:8C
                DirName:/CN=RCDevs Documentation CA/OU=IT/O=RCDevs SA/C=LU
                serial:32:49:B4:20:D8:25:78:93:95:5A:B1:87:AD:8C:13:43:85:A1:AD:03
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: BA3F5DD65B864EFA98B0F4484E98471E
        Revocation Date: Dec 14 15:45:28 2023 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Cessation Of Operation
    Serial Number: D4EA92954DEFA9376B9FE4158740586F
        Revocation Date: Dec 14 15:45:28 2023 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Cessation Of Operation
    Serial Number: B09E8A84E19614D40B2B49235BE0D41E
        Revocation Date: Dec 14 15:45:28 2023 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Cessation Of Operation
    Serial Number: D105426C2604181853CE8CAE016A3D19
        Revocation Date: Dec 14 15:45:28 2023 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Cessation Of Operation
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        71:28:a5:0d:a0:51:73:26:62:2a:05:8e:cc:13:b6:43:7c:dc:
        46:0b:81:08:cc:16:39:4a:96:af:07:d8:ad:45:db:5a:d1:3c:
        2e:65:53:07:ff:1f:45:d1:9c:e8:a0:e3:9c:10:98:3b:cd:1c:
        91:90:f1:d1:60:79:53:39:4a:d7:49:d0:ab:5c:b9:61:1b:2e:
        2a:6d:1b:43:c9:9e:7b:95:86:05:c0:46:b9:ed:da:4d:dd:bd:
        b6:b4:78:1e:7f:1e:6d:5d:1f:15:2e:dd:bb:e7:13:96:c1:99:
        01:6e:a1:d1:5a:48:e7:c1:ab:11:b7:eb:14:24:ea:77:c9:81:
        ea:cc:84:86:20:d8:7f:f5:a5:0e:57:fb:21:ee:ed:e2:53:97:
        2c:47:09:ac:59:10:8a:25:1c:29:bf:60:a9:4d:3e:e4:8f:aa:
        7d:ad:87:d6:9f:73:30:23:39:51:6e:3e:dc:25:60:38:f2:df:
        bb:29:b2:f3:28:3e:e6:24:dc:d7:87:e0:b4:94:2d:2e:87:0c:
        3c:8e:a9:c1:95:03:70:ee:13:57:8c:93:a5:13:31:b7:4e:43:
        71:0d:3c:a6:de:9f:31:70:8f:e3:88:f5:59:d6:ff:21:47:4c:
        2e:1f:64:f8:b4:a8:d8:02:49:74:24:54:d8:44:f3:17:f6:10:
        39:7f:e9:65:e8:31:3e:ca:dd:5f:d8:4e:1c:0a:42:76:ce:dc:
        0b:12:7b:b9:14:f9:3d:ee:76:b5:34:ba:f7:60:f2:30:e3:d6:
        55:dd:70:f0:9e:75:ff:0a:5c:4f:10:a7:ce:7b:a6:80:5d:8a:
        18:bd:dd:18:58:95:f1:ae:ae:5d:2f:cc:5c:fe:a4:26:a2:7f:
        5d:b8:51:7e:1f:3c:d6:d8:7d:65:02:7f:17:e2:d7:32:5d:e5:
        99:7b:80:d0:2f:21:58:3e:74:ad:9b:35:dc:c9:f7:66:65:75:
        36:8f:91:55:bb:33:68:41:cc:26:57:79:a3:e5:82:be:80:9b:
        de:08:86:3d:74:2c:72:99:4c:b5:41:ed:5e:92:08:6b:56:2b:
        58:56:e9:47:e7:c0:7c:c2:32:dc:04:90:37:bc:d1:d2:e5:8e:
        0a:a1:a4:28:88:d5:b3:94:51:34:20:75:17:e6:d3:c8:9d:00:
        f6:8c:8c:46:9b:53:30:ce:81:53:b6:52:72:26:c6:4d:76:50:
        fc:0c:31:bf:09:9e:ee:ea:a4:8d:8f:b9:84:a4:45:b6:06:31:
        25:06:c2:2b:6f:97:0a:84:7b:cb:bd:aa:45:7b:8e:04:96:5f:
        d9:9a:30:86:9c:32:4b:89:4a:6c:e8:87:c8:d2:f6:6b:35:d5:
        a1:e2:97:c6:3b:3a:02:54
-----BEGIN X509 CRL-----
MIIECzCCAfMCAQEwDQYJKoZIhvcNAQELBQAwUjEaMBgGA1UEAwwRUkNEZXZzIFN1
cHBvcnQgQ0ExCzAJBgNVBAsMAklUMRowGAYDVQQKDBFSQ0RldnMgU3VwcG9ydCBT
QTELMAkGA1UEBhMCTFUXDTIzMTIxNDE1NDUyOVoXDTI0MDExMzE1NDUyOVowgcgw
MAIRALo/XdZbhk76mLD0SE6YRx4XDTIzMTIxNDE1NDUyOFowDDAKBgNVHRUEAwoB
BTAwAhEA1OqSlU3vqTdrn+QVh0BYbxcNMjMxMjE0MTU0NTI4WjAMMAoGA1UdFQQD
CgEFMDACEQCwnoqE4ZYU1AsrSSNb4NQeFw0yMzEyMTQxNTQ1MjhaMAwwCgYDVR0V
BAMKAQUwMAIRANEFQmwmBBgYU86MrgFqPRkXDTIzMTIxNDE1NDUyOFowDDAKBgNV
HRUEAwoBBaCBoTCBnjCBjwYDVR0jBIGHMIGEgBS6xt28Ms5X3s4/ye1OjQhnv6nw
jKFWpFQwUjEaMBgGA1UEAwwRUkNEZXZzIFN1cHBvcnQgQ0ExCzAJBgNVBAsMAklU
MRowGAYDVQQKDBFSQ0RldnMgU3VwcG9ydCBTQTELMAkGA1UEBhMCTFWCFDJJtCDY
JXiTlVqxh62ME0OFoa0DMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4ICAQBx
KKUNoFFzJmIqBY7ME7ZDfNxGC4EIzBY5SpavB9itRdta0TwuZVMH/x9F0ZzooOOc
EJg7zRyRkPHRYHlTOUrXSdCrXLlhGy4qbRtDyZ57lYYFwEa57dpN3b22tHgefx5t
XR8VLt275xOWwZkBbqHRWkjnwasRt+sUJOp3yYHqzISGINh/9aUOV/sh7u3iU5cs
RwmsWRCKJRwpv2CpTT7kj6p9rYfWn3MwIzlRbj7cJWA48t+7KbLzKD7mJNzXh+C0
lC0uhww8jqnBlQNw7hNXjJOlEzG3TkNxDTym3p8xcI/jiPVZ1v8hR0wuH2T4tKjY
Akl0JFTYRPMX9hA5f+ll6DE+yt1f2E4cCkJ2ztwLEnu5FPk97na1NLr3YPIw49ZV
3XDwnnX/ClxPEKfOe6aAXYoYvd0YWJXxrq5dL8xc/qQmon9duFF+HzzW2H1lAn8X
4tcyXeWZe4DQLyFYPnStmzXcyfdmZXU2j5FVuzNoQcwmV3mj5YK+gJveCIY9dCxy
mUy1Qe1ekghrVitYVulH58B8wjLcBJA3vNHS5Y4KoaQoiNWzlFE0IHUX5tPInQD2
jIxGm1MwzoFTtlJyJsZNdlD8DDG/CZ7u6qSNj7mEpEW2BjElBsIrb5cKhHvLvapF
e44Ell/ZmjCGnDJLiUps6IfI0vZrNdWh4pfGOzoCVA==
-----END X509 CRL-----

The following command can be utilized to convert the CRL file from DER format to PEM format:

openssl crl -inform DER -in webadm1.crl.der -outform PEM -out webadm1.crl

The output of the previous command is displayed below:

Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=RCDevs Documentation CA,OU=IT,O=RCDevs SA,C=LU
        Last Update: Dec 14 15:45:29 2023 GMT
        Next Update: Jan 13 15:45:29 2024 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                keyid:BA:C6:DD:BC:32:CE:57:DE:CE:3F:C9:ED:4E:8D:08:67:BF:A9:F0:8C
                DirName:/CN=RCDevs Documentation CA/OU=IT/O=RCDevs SA/C=LU
                serial:32:49:B4:20:D8:25:78:93:95:5A:B1:87:AD:8C:13:43:85:A1:AD:03
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: BA3F5DD65B864EFA98B0F4484E98471E
        Revocation Date: Dec 14 15:45:28 2023 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Cessation Of Operation
    Serial Number: D4EA92954DEFA9376B9FE4158740586F
        Revocation Date: Dec 14 15:45:28 2023 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Cessation Of Operation
    Serial Number: B09E8A84E19614D40B2B49235BE0D41E
        Revocation Date: Dec 14 15:45:28 2023 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Cessation Of Operation
    Serial Number: D105426C2604181853CE8CAE016A3D19
        Revocation Date: Dec 14 15:45:28 2023 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Cessation Of Operation
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        71:28:a5:0d:a0:51:73:26:62:2a:05:8e:cc:13:b6:43:7c:dc:
        46:0b:81:08:cc:16:39:4a:96:af:07:d8:ad:45:db:5a:d1:3c:
        2e:65:53:07:ff:1f:45:d1:9c:e8:a0:e3:9c:10:98:3b:cd:1c:
        91:90:f1:d1:60:79:53:39:4a:d7:49:d0:ab:5c:b9:61:1b:2e:
        2a:6d:1b:43:c9:9e:7b:95:86:05:c0:46:b9:ed:da:4d:dd:bd:
        b6:b4:78:1e:7f:1e:6d:5d:1f:15:2e:dd:bb:e7:13:96:c1:99:
        01:6e:a1:d1:5a:48:e7:c1:ab:11:b7:eb:14:24:ea:77:c9:81:
        ea:cc:84:86:20:d8:7f:f5:a5:0e:57:fb:21:ee:ed:e2:53:97:
        2c:47:09:ac:59:10:8a:25:1c:29:bf:60:a9:4d:3e:e4:8f:aa:
        7d:ad:87:d6:9f:73:30:23:39:51:6e:3e:dc:25:60:38:f2:df:
        bb:29:b2:f3:28:3e:e6:24:dc:d7:87:e0:b4:94:2d:2e:87:0c:
        3c:8e:a9:c1:95:03:70:ee:13:57:8c:93:a5:13:31:b7:4e:43:
        71:0d:3c:a6:de:9f:31:70:8f:e3:88:f5:59:d6:ff:21:47:4c:
        2e:1f:64:f8:b4:a8:d8:02:49:74:24:54:d8:44:f3:17:f6:10:
        39:7f:e9:65:e8:31:3e:ca:dd:5f:d8:4e:1c:0a:42:76:ce:dc:
        0b:12:7b:b9:14:f9:3d:ee:76:b5:34:ba:f7:60:f2:30:e3:d6:
        55:dd:70:f0:9e:75:ff:0a:5c:4f:10:a7:ce:7b:a6:80:5d:8a:
        18:bd:dd:18:58:95:f1:ae:ae:5d:2f:cc:5c:fe:a4:26:a2:7f:
        5d:b8:51:7e:1f:3c:d6:d8:7d:65:02:7f:17:e2:d7:32:5d:e5:
        99:7b:80:d0:2f:21:58:3e:74:ad:9b:35:dc:c9:f7:66:65:75:
        36:8f:91:55:bb:33:68:41:cc:26:57:79:a3:e5:82:be:80:9b:
        de:08:86:3d:74:2c:72:99:4c:b5:41:ed:5e:92:08:6b:56:2b:
        58:56:e9:47:e7:c0:7c:c2:32:dc:04:90:37:bc:d1:d2:e5:8e:
        0a:a1:a4:28:88:d5:b3:94:51:34:20:75:17:e6:d3:c8:9d:00:
        f6:8c:8c:46:9b:53:30:ce:81:53:b6:52:72:26:c6:4d:76:50:
        fc:0c:31:bf:09:9e:ee:ea:a4:8d:8f:b9:84:a4:45:b6:06:31:
        25:06:c2:2b:6f:97:0a:84:7b:cb:bd:aa:45:7b:8e:04:96:5f:
        d9:9a:30:86:9c:32:4b:89:4a:6c:e8:87:c8:d2:f6:6b:35:d5:
        a1:e2:97:c6:3b:3a:02:54

You can locate the CRL requests logs in the /opt/webadm/logs/webadm.log file after they have been downloaded.

[2023-12-13 17:30:09] [192.168.3.205:60062] New CRL request
[2023-12-13 17:30:09] [192.168.3.205:60062] Found 4 revoked certificates (cached)