Overview
WebADM infrastructure comes up with OCSP (Online Certificate Status Protocol) and CRLs (Certificate Revocation Lists) which are two methods used to check the revocation status of digital certificates.
OCSP allows for real-time certificate status checking by querying a certificate authority's OCSP server, while CRLs provide a list of revoked certificates that is periodically published by the CA. Both methods are used to verify that a certificate is still valid and has not been revoked. OCSP is considered to be more secure and efficient, as it allows for real-time checking, while CRLs rely on a regularly-updated list which can be out of date.
Endpoints and publication
These 2 endpoints are local URLs which are automatically published on WAProxy or another reverse proxy if WAProxy or a reverse proxy is configured with your WebADM infrastructure.
The default URLs when there is no WAProxy or reverse proxy configured are:
- http://webadm_server/ocsp/
- http://webadm_server/crl/
When WAProxy/Reverse Proxy servers are configured, the URLs are:
- http://public_hostname/ocsp/
- http://public_hostname/crl/
The public hostname is a setting configurable in /opt/webadm/conf/webadm.conf
with the directive public_hostname
:
public_hostname "waproxy.rcdevsdocs.com"
OCSP Check
The OpenSSL command can be utilized to verify certificate revocation status using the OCSP service:
openssl ocsp -issuer ca.crt -cert johndoe.crt -text -url http://webadm1.rcdevsdocs.com/ocsp/ -header "HOST"="webadm1.rcdevsdocs.com"
Valid certificate
For a valid certificate, the aforementioned OpenSSL command will yield the following result (status: good):
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: B1898F8D6DE91859F6CA87B4EA18A70E4231A3A9
Issuer Key Hash: BAC6DDBC32CE57DECE3FC9ED4E8D0867BFA9F08C
Serial Number: AD9DBEC023CB7C50047DDF178164097F
Request Extensions:
OCSP Nonce:
04101E8F6CE17FBEB7F5F3B07A4D3A0F0811
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: CN = RCDevs Documentation CA, OU = IT, O = RCDevs SA, C = LU
Produced At: Dec 13 14:32:53 2023 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: B1898F8D6DE91859F6CA87B4EA18A70E4231A3A9
Issuer Key Hash: BAC6DDBC32CE57DECE3FC9ED4E8D0867BFA9F08C
Serial Number: AD9DBEC023CB7C50047DDF178164097F
Cert Status: good
This Update: Dec 13 14:32:53 2023 GMT
Response Extensions:
OCSP Nonce:
04101E8F6CE17FBEB7F5F3B07A4D3A0F0811
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
6e:c1:8c:a3:03:ba:4b:4c:4f:d0:73:92:9f:8e:c8:9e:2b:d2:
25:01:e2:f5:15:da:7e:a7:0e:52:66:39:18:d0:86:be:f7:38:
d1:09:bc:a4:2b:c7:e6:bc:96:23:a0:10:72:bf:45:b3:1e:78:
80:2a:ea:6c:bd:22:bd:28:77:9b:c1:c9:de:5e:9e:f2:6c:d6:
7f:65:a8:15:7c:28:97:a3:dd:4b:3c:d3:79:03:09:ab:c7:90:
2f:4f:de:f6:f4:05:7f:69:5d:80:20:42:6c:0e:cc:b9:ea:29:
7f:9f:b9:27:90:27:10:35:35:7d:2c:83:be:fb:0d:a8:4a:79:
0a:5d:64:dd:ed:1b:a3:c1:49:0c:64:8b:c8:6e:4a:54:f0:6c:
16:0c:4f:78:12:fe:df:5f:e8:42:eb:97:66:7b:91:4c:0e:51:
59:7b:13:5b:26:38:a7:10:ca:19:0d:cc:43:20:82:5a:8f:ec:
40:c2:e6:f7:a0:38:1d:5c:44:2c:62:3b:3e:2e:c3:e6:90:cd:
d6:8e:e5:c6:b5:04:10:ca:b9:3f:7e:cb:54:fb:30:b9:ec:d0:
b3:7c:42:79:6f:3c:83:ce:23:9e:9f:45:0f:66:f1:f5:be:ab:
af:4b:b3:4d:ec:c9:d8:9c:30:8d:42:87:c9:b7:55:3b:d8:2a:
c1:5a:7a:27:77:45:b0:a4:de:30:a8:cc:62:d2:50:35:d7:2d:
bd:93:66:a4:d5:cd:62:a8:f1:ba:d0:1f:1e:c3:df:07:81:3e:
fd:8b:7b:1c:a5:6b:44:df:7f:eb:71:26:70:48:85:a9:37:29:
ff:23:dd:f8:fa:65:59:4a:9c:ea:f9:7c:88:8d:32:c7:75:2e:
f9:b5:66:db:1c:b9:95:67:89:86:bf:36:18:86:ba:d4:7c:d6:
fa:17:ac:ac:82:be:74:35:42:35:0f:0a:ef:cf:07:9f:d6:8e:
6c:93:eb:68:11:4b:5a:7c:2f:1a:ec:90:fb:b6:90:2b:12:28:
a8:87:f8:1d:95:ab:b5:d6:e0:8a:a4:ab:c6:2b:7e:7f:9d:14:
f3:24:ae:46:eb:af:ac:8f:0d:43:a4:f5:3c:15:34:8e:74:9d:
05:a9:11:37:76:f5:91:00:b1:e6:0f:8e:40:ce:38:e2:7e:8f:
0f:ee:1a:42:53:77:ac:63:4d:00:5f:74:d1:bb:39:e8:be:93:
b1:37:28:04:cd:ea:1a:4e:8a:ba:05:ea:a6:bc:f4:3c:54:a3:
72:18:98:ad:3b:e9:74:a2:a6:d6:26:cc:e9:00:85:d2:18:b2:
f0:97:3c:c6:c3:5b:92:3b:11:dd:0e:c6:1c:db:b4:da:65:98:
20:a0:ed:65:20:3e:f5:ec
Response verify OK
johndoe.crt: good
This Update: Dec 13 14:32:53 2023 GMT
Below, the WebADM logs regarding the previous request:
[2023-12-13 15:32:53] [192.168.3.205:63375] New OCSP request for serial: 230775502758290284840807186191261895039
[2023-12-13 15:32:53] [192.168.3.205:63375] > Issuer Hash: b1898f8d6de91859f6ca87b4ea18a70e4231a3a9 (SHA1)
[2023-12-13 15:32:53] [192.168.3.205:63375] Returning OCSP response 'Good'
Revoked certificate
A certificate is deemed revoked for the following reasons:
- User certificate: Certificate not existing on the user account.
- Client certificate: Certificate marked as
Revoked
in the SQL database or removed from the SQL database. - Server certificate: Certificate marked as
Revoked
in the SQL database or removed from the SQL database. - Mobile certificate: Certificate marked as
Revoked
in the SQL database or removed from the SQL database.
Mobile certificates used for document signing are revoked only under two conditions: if they are labeled as "Revoked" in the SQL database or if they have expired. If a certificate is still valid in terms of its expiration date but has been removed from the SQL database, it can be used during its validity period and will be automatically re-added to the SQL database. To render a mobile certificate unusable, it must be retained in the SQL database and marked as Revoked
.
For a revoked certificate the OpenSSL command previously provided will return the status revoked and the revocation time:
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 66B72E282CBB66675F45363B7B9667AB5F1DC68D
Issuer Key Hash: 04405B3B546C1F93E5CF15C033D21C51A17565A3
Serial Number: 80502E9B6C05534A965C104D6E182743
Request Extensions:
OCSP Nonce:
041029DD3F7A25F4286C09099EE96A358860
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: CN = RCDevs Documentation CA, OU = IT, O = RCDevs SA, C = LU
Produced At: Dec 14 13:12:30 2023 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 66B72E282CBB66675F45363B7B9667AB5F1DC68D
Issuer Key Hash: 04405B3B546C1F93E5CF15C033D21C51A17565A3
Serial Number: 80502E9B6C05534A965C104D6E182743
Cert Status: revoked
Revocation Time: Dec 14 13:12:30 2023 GMT
This Update: Dec 14 13:12:30 2023 GMT
Response Extensions:
OCSP Nonce:
041029DD3F7A25F4286C09099EE96A358860
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
79:ec:1a:84:01:67:c4:36:27:f6:26:54:c3:b6:7f:01:78:90:
7e:3a:f0:3b:14:b5:a5:18:32:8a:66:22:5a:e2:b4:ab:85:d6:
3d:15:68:22:b5:b1:c9:26:59:ab:d2:45:e4:07:ea:16:a4:97:
bb:3f:27:2a:72:73:41:da:c0:74:f8:60:d3:e7:3c:ce:7c:72:
d0:54:2d:99:61:dc:07:2e:04:a7:d3:fe:13:7b:73:9c:14:92:
6c:ad:b9:e2:a5:3a:fb:88:db:25:97:92:66:44:47:41:7e:2c:
4c:00:df:e2:38:d5:7a:37:9a:82:49:ab:48:53:03:41:0f:25:
dd:35:93:54:d6:d3:da:21:a4:35:cb:d2:92:7e:a0:43:75:7b:
6e:85:a8:1d:88:2c:2e:0f:e7:3c:0e:f7:6c:38:8e:e2:02:82:
a7:12:37:de:75:92:c3:8d:4a:a2:b1:dc:ce:06:70:99:6d:ee:
73:1d:1b:ef:6f:23:4b:68:28:13:c8:bf:63:ab:c2:25:d4:ba:
0e:03:f9:62:c9:15:3e:d5:1e:ba:09:44:cf:ab:c7:9c:75:3a:
fe:23:fd:43:bf:b4:eb:15:0f:e0:20:ca:ba:69:c3:e9:c3:0c:
5c:d7:51:ea:4f:d9:69:3c:e4:73:be:e7:f1:79:4d:ac:25:88:
a1:33:58:3d:51:c5:08:df:41:00:b6:89:11:b6:68:0c:23:d9:
73:b5:ea:b9:7c:a8:87:70:cd:1a:10:af:ec:04:2d:cf:09:72:
94:fd:c3:16:c1:4f:c7:56:a0:52:99:65:9c:36:12:1f:3d:82:
78:27:fd:ec:8f:7e:04:6a:80:b7:4c:70:71:0a:b2:16:d0:16:
f9:23:05:fa:de:e9:71:a9:62:49:15:3a:a7:c0:69:93:62:da:
c1:f1:1c:50:fd:22:d1:02:47:ef:3e:21:39:18:cf:11:75:54:
2e:d0:30:83:13:33:83:2c:cd:9a:c4:a7:77:95:0d:aa:7d:ad:
93:ae:6e:b9:39:b0:34:b8:cf:8b:c9:1c:2b:86:1d:f9:0d:ae:
c5:b3:b5:b3:6e:84:6e:14:bc:3e:c4:2b:fe:6e:23:76:9e:28:
38:2c:fa:5a:a1:6a:1d:f5:82:95:8d:8a:85:c4:f8:28:dc:39:
b3:52:2c:26:43:0f:e9:c0:21:ad:76:9a:8a:9b:b9:c3:d6:1f:
bf:57:69:a5:0f:aa:0a:1d:14:1f:a5:09:83:04:72:be:9b:40:
fd:84:c8:3a:85:a4:bd:ad:bd:16:8e:03:bc:eb:17:12:9a:57:
a9:1b:07:6f:91:e0:36:33:e5:4c:d9:9b:bb:9a:c5:60:f5:ad:
f0:b0:3a:65:e0:0f:00:8c
Response verify OK
john.doe.crt: revoked
This Update: Dec 14 13:12:30 2023 GMT
Revocation Time: Dec 14 13:28:22 2023 GMT
WebADM logs regarding the previous request:
[2023-12-14 14:12:30] [192.168.3.205:57252] New OCSP request for serial: 170557512513789794651896604926594787139
[2023-12-14 14:12:30] [192.168.3.205:57252] > Issuer Hash: 66b72e282cbb66675f45363b7b9667ab5f1dc68d (SHA1)
[2023-12-14 14:12:30] [192.168.3.205:57252] Returning OCSP response 'Revoked'
Certificate expired
For an expired certificate (user, client, server or mobile) available on the user account or in the SQL database (not flagged as revoked), the OpenSSL command previously provided will return the status unknown
:
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: B1898F8D6DE91859F6CA87B4EA18A70E4231A3A9
Issuer Key Hash: BAC6DDBC32CE57DECE3FC9ED4E8D0867BFA9F08C
Serial Number: 8A4F601706022C8139B0F4D9A7656BFC
Request Extensions:
OCSP Nonce:
04102F59FCB9622706FE66F3168E90E9DCE8
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: CN = RCDevs Documentation CA, OU = IT, O = RCDevs SA, C = LU
Produced At: Dec 14 14:54:31 2023 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: B1898F8D6DE91859F6CA87B4EA18A70E4231A3A9
Issuer Key Hash: BAC6DDBC32CE57DECE3FC9ED4E8D0867BFA9F08C
Serial Number: 8A4F601706022C8139B0F4D9A7656BFC
Cert Status: unknown
This Update: Dec 14 14:54:31 2023 GMT
Response Extensions:
OCSP Nonce:
04102F59FCB9622706FE66F3168E90E9DCE8
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
53:5d:de:a6:76:12:8d:b8:53:73:3a:41:35:39:23:da:9e:13:
fb:e5:b5:1f:62:97:9f:f3:31:6a:98:a6:5d:7a:71:e0:54:23:
1b:07:03:0a:23:3f:83:a8:26:95:b0:ba:e4:d2:a3:f0:69:39:
2b:99:e5:aa:9c:13:f0:1c:a8:60:fa:1a:31:1f:24:da:dd:97:
d8:ac:60:57:ef:77:c5:0d:6c:d5:50:e8:13:0f:8a:3d:eb:e7:
65:ac:89:93:97:d0:e3:f6:84:c4:45:7c:5e:88:05:fa:79:76:
f8:78:90:86:f0:02:b4:e0:c4:6f:54:0c:b0:c8:95:40:1a:b3:
46:1a:b8:b4:48:20:99:4b:80:cb:c6:3a:a6:78:cf:6c:d4:ef:
83:fd:31:51:57:44:40:39:5e:a2:36:fd:10:b5:d3:c1:07:dd:
72:c9:7b:88:be:40:ca:07:22:b0:37:b1:2b:59:e0:47:71:df:
a8:eb:3e:19:87:f3:99:e5:bd:9f:7e:85:c7:bc:2a:14:13:44:
56:25:f0:d8:6c:a3:03:52:8f:c2:d1:e0:6e:07:64:70:3f:e8:
56:76:f0:91:7e:9b:3f:78:6d:28:41:6d:8d:cd:50:b5:7e:7a:
f3:fd:1c:4a:85:59:db:74:df:92:15:a3:ba:8f:cf:14:4a:e2:
12:69:f2:f6:96:1a:51:21:fa:51:f2:d9:09:8a:ae:cd:24:f3:
73:fe:79:a2:26:b9:da:66:b1:46:26:78:69:d9:9b:91:d5:00:
e2:cd:66:14:dd:1b:d6:a4:61:39:d1:48:71:01:33:50:ac:38:
e5:e8:28:f2:f2:98:a6:73:bf:b6:a1:7b:a9:7c:da:be:15:40:
3b:e0:d5:39:a1:43:58:4d:49:5c:9b:b4:b6:a1:ff:48:75:c2:
58:84:56:c3:ef:0e:50:61:f3:08:20:0f:d1:dc:c3:8c:77:ad:
b7:84:8a:1e:88:9d:0b:a6:ea:f4:d8:ec:d7:e3:3a:ea:28:6c:
c1:6b:85:68:c2:5b:75:0a:d0:26:d7:ac:6d:32:be:89:5f:17:
86:0e:46:6c:b1:d8:7d:5b:b0:af:d4:95:a3:b5:c8:4f:8f:a2:
54:9d:30:a8:db:a0:18:78:05:4f:f9:9c:0a:c6:e0:75:42:d4:
a7:26:d1:8b:3b:39:a3:21:87:21:90:db:68:c1:33:9b:33:f4:
d6:fa:5c:d0:cf:d5:1a:fc:38:b4:ad:04:f6:95:9a:c1:23:f6:
3a:b3:d7:4c:32:4f:28:42:29:78:ed:a5:0d:41:d0:ea:bc:f8:
cd:91:55:af:f0:45:12:af:46:8e:9b:7f:6e:3e:92:6b:cc:8e:
34:bf:eb:4e:29:6a:e9:46
Response verify OK
john.doe.crt: unknown
This Update: Dec 14 14:54:31 2023 GMT
Below, the WebADM logs for the previous request:
[2023-12-14 15:59:18] [192.168.3.205:63898] New OCSP request for serial: 183845603805571868310299370231666404348
[2023-12-14 15:59:18] [192.168.3.205:63898] > Issuer Hash: b1898f8d6de91859f6ca87b4ea18a70e4231a3a9 (SHA1)
[2023-12-14 15:59:18] [192.168.3.205:63898] Returning OCSP response 'Unknown'
Invalid issuer (Wrong CA)
OCSP request for a certificate not issued by WebADM internal PKI will also return the unknown
status:
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: FEB81015ABD71BC178CBAB41E58A1AEF08454527
Issuer Key Hash: 04405B3B546C1F93E5CF15C033D21C51A17565A3
Serial Number: 01EE
Request Extensions:
OCSP Nonce:
0410CEE701CE0DF0A9E2101575F81D4FF751
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: CN = WebADM CA #113f15bb, O = RCDevs Testing
Produced At: Dec 14 13:10:26 2023 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: FEB81015ABD71BC178CBAB41E58A1AEF08454527
Issuer Key Hash: 04405B3B546C1F93E5CF15C033D21C51A17565A3
Serial Number: 01EE
Cert Status: unknown
This Update: Dec 14 13:10:26 2023 GMT
Response Extensions:
OCSP Nonce:
0410CEE701CE0DF0A9E2101575F81D4FF751
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
5a:92:13:76:ae:90:56:1c:a0:b3:0d:df:27:6f:7c:b0:27:a0:
1d:2a:a1:a4:27:2b:80:c4:79:4b:09:00:8d:3d:98:73:d8:7d:
04:64:00:2b:11:f2:ce:89:8c:10:02:cf:61:c2:92:ee:19:89:
8f:6f:d5:1a:dd:40:13:11:85:c5:36:ea:23:51:85:f0:b5:fc:
16:2a:eb:1b:5f:50:86:eb:0c:26:14:6e:44:ff:f7:95:47:3a:
19:99:8f:6b:1f:64:12:29:69:74:5b:88:61:0d:c9:b0:13:4c:
61:e2:d7:eb:51:b5:13:d7:ac:51:89:f4:ad:67:b1:ee:bc:e1:
cf:4b:25:f1:48:e7:ca:a3:55:50:ad:e7:8c:46:c3:f5:61:8a:
92:dc:92:0f:b3:ca:25:54:18:eb:1a:bb:bd:14:64:c2:6a:5e:
6e:14:d9:00:d1:70:bd:b2:79:eb:55:35:33:ce:39:83:91:63:
4e:4b:1d:82:f6:a9:3b:3b:19:40:85:b0:32:42:7d:9a:80:f5:
72:ba:bb:c3:7a:d0:1b:e7:44:40:01:cc:71:fb:f1:a4:28:b0:
80:f4:82:bd:92:61:c8:9e:35:9a:ca:5a:7b:ca:5c:15:be:35:
26:58:93:cc:3a:f7:5f:2b:d5:dd:01:97:6e:2b:9c:67:06:41:
7a:0a:e5:c0:7b:27:03:90:f8:c9:2c:6d:1a:8d:e8:ef:0b:a3:
75:66:c9:2f:c9:08:2d:5f:c2:67:ea:77:2d:ed:3e:1c:46:09:
96:47:fd:d5:75:a9:d2:4a:cd:e6:52:8c:28:ef:cb:ea:5c:71:
29:ea:81:e5:dc:a1:b7:84:05:50:80:1b:93:fe:be:18:8c:6b:
d9:70:82:5e:0d:ec:2a:1b:5a:ca:be:0d:e2:fc:3f:14:2b:8d:
dc:bf:ae:4c:08:9e:51:01:e5:87:0d:2e:56:b8:c1:be:f1:24:
f7:ac:fc:cf:6b:ff:f3:4e:76:48:9c:53:c4:01:5b:b2:68:e7:
d9:33:c3:96:a7:f7:aa:a9:f8:e7:74:03:85:39:c2:51:06:ca:
eb:a8:86:a7:5b:03:da:b9:c2:05:52:2b:26:ee:b2:ad:bf:45:
b5:5a:e7:82:23:9e:97:2e:0b:64:f5:e0:14:60:dc:84:16:2d:
30:f7:55:a3:d2:57:c2:1d:b9:6d:e9:16:39:36:bf:ed:c2:15:
81:70:3e:bc:8a:e1:1f:a8:fc:c3:0c:2c:a9:24:48:74:55:13:
b5:1c:52:7c:f3:35:98:d0:16:3a:85:9f:8b:e0:d8:78:d4:01:
f5:ed:22:13:fa:d7:2c:70:dd:c5:8f:d4:3b:6e:77:da:d2:2e:
3d:b3:ee:69:0c:6d:3a:5c
Response verify OK
john.doe_wrong_CA.crt: unknown
This Update: Dec 14 13:10:26 2023 GMT
CRL Check
he CRL endpoint can exclusively be employed for checking the revocation status of SQL-stored certificates. When using the CRL method, it is crucial to retain all revoked or expired certificates to construct the CRL with their serials.
OpenSSL can be employed to verify certificate revocation by utilizing a retrieved CRL.
The following command enables you to download the CRL from WebADM in DER format:
wget http://webadm1.rcdevsdocs.com/crl -q -O webadm1.crl.der
The following command will read the CRL file in DER format and furnish information regarding certificate revocation based on serial numbers:
openssl crl -inform DER -in webadm1.crl.der
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=RCDevs Documentation CA,OU=IT,O=RCDevs SA,C=LU
Last Update: Dec 14 15:45:29 2023 GMT
Next Update: Jan 13 15:45:29 2024 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:BA:C6:DD:BC:32:CE:57:DE:CE:3F:C9:ED:4E:8D:08:67:BF:A9:F0:8C
DirName:/CN=RCDevs Documentation CA/OU=IT/O=RCDevs SA/C=LU
serial:32:49:B4:20:D8:25:78:93:95:5A:B1:87:AD:8C:13:43:85:A1:AD:03
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: BA3F5DD65B864EFA98B0F4484E98471E
Revocation Date: Dec 14 15:45:28 2023 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: D4EA92954DEFA9376B9FE4158740586F
Revocation Date: Dec 14 15:45:28 2023 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: B09E8A84E19614D40B2B49235BE0D41E
Revocation Date: Dec 14 15:45:28 2023 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: D105426C2604181853CE8CAE016A3D19
Revocation Date: Dec 14 15:45:28 2023 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
71:28:a5:0d:a0:51:73:26:62:2a:05:8e:cc:13:b6:43:7c:dc:
46:0b:81:08:cc:16:39:4a:96:af:07:d8:ad:45:db:5a:d1:3c:
2e:65:53:07:ff:1f:45:d1:9c:e8:a0:e3:9c:10:98:3b:cd:1c:
91:90:f1:d1:60:79:53:39:4a:d7:49:d0:ab:5c:b9:61:1b:2e:
2a:6d:1b:43:c9:9e:7b:95:86:05:c0:46:b9:ed:da:4d:dd:bd:
b6:b4:78:1e:7f:1e:6d:5d:1f:15:2e:dd:bb:e7:13:96:c1:99:
01:6e:a1:d1:5a:48:e7:c1:ab:11:b7:eb:14:24:ea:77:c9:81:
ea:cc:84:86:20:d8:7f:f5:a5:0e:57:fb:21:ee:ed:e2:53:97:
2c:47:09:ac:59:10:8a:25:1c:29:bf:60:a9:4d:3e:e4:8f:aa:
7d:ad:87:d6:9f:73:30:23:39:51:6e:3e:dc:25:60:38:f2:df:
bb:29:b2:f3:28:3e:e6:24:dc:d7:87:e0:b4:94:2d:2e:87:0c:
3c:8e:a9:c1:95:03:70:ee:13:57:8c:93:a5:13:31:b7:4e:43:
71:0d:3c:a6:de:9f:31:70:8f:e3:88:f5:59:d6:ff:21:47:4c:
2e:1f:64:f8:b4:a8:d8:02:49:74:24:54:d8:44:f3:17:f6:10:
39:7f:e9:65:e8:31:3e:ca:dd:5f:d8:4e:1c:0a:42:76:ce:dc:
0b:12:7b:b9:14:f9:3d:ee:76:b5:34:ba:f7:60:f2:30:e3:d6:
55:dd:70:f0:9e:75:ff:0a:5c:4f:10:a7:ce:7b:a6:80:5d:8a:
18:bd:dd:18:58:95:f1:ae:ae:5d:2f:cc:5c:fe:a4:26:a2:7f:
5d:b8:51:7e:1f:3c:d6:d8:7d:65:02:7f:17:e2:d7:32:5d:e5:
99:7b:80:d0:2f:21:58:3e:74:ad:9b:35:dc:c9:f7:66:65:75:
36:8f:91:55:bb:33:68:41:cc:26:57:79:a3:e5:82:be:80:9b:
de:08:86:3d:74:2c:72:99:4c:b5:41:ed:5e:92:08:6b:56:2b:
58:56:e9:47:e7:c0:7c:c2:32:dc:04:90:37:bc:d1:d2:e5:8e:
0a:a1:a4:28:88:d5:b3:94:51:34:20:75:17:e6:d3:c8:9d:00:
f6:8c:8c:46:9b:53:30:ce:81:53:b6:52:72:26:c6:4d:76:50:
fc:0c:31:bf:09:9e:ee:ea:a4:8d:8f:b9:84:a4:45:b6:06:31:
25:06:c2:2b:6f:97:0a:84:7b:cb:bd:aa:45:7b:8e:04:96:5f:
d9:9a:30:86:9c:32:4b:89:4a:6c:e8:87:c8:d2:f6:6b:35:d5:
a1:e2:97:c6:3b:3a:02:54
-----BEGIN X509 CRL-----
MIIECzCCAfMCAQEwDQYJKoZIhvcNAQELBQAwUjEaMBgGA1UEAwwRUkNEZXZzIFN1
cHBvcnQgQ0ExCzAJBgNVBAsMAklUMRowGAYDVQQKDBFSQ0RldnMgU3VwcG9ydCBT
QTELMAkGA1UEBhMCTFUXDTIzMTIxNDE1NDUyOVoXDTI0MDExMzE1NDUyOVowgcgw
MAIRALo/XdZbhk76mLD0SE6YRx4XDTIzMTIxNDE1NDUyOFowDDAKBgNVHRUEAwoB
BTAwAhEA1OqSlU3vqTdrn+QVh0BYbxcNMjMxMjE0MTU0NTI4WjAMMAoGA1UdFQQD
CgEFMDACEQCwnoqE4ZYU1AsrSSNb4NQeFw0yMzEyMTQxNTQ1MjhaMAwwCgYDVR0V
BAMKAQUwMAIRANEFQmwmBBgYU86MrgFqPRkXDTIzMTIxNDE1NDUyOFowDDAKBgNV
HRUEAwoBBaCBoTCBnjCBjwYDVR0jBIGHMIGEgBS6xt28Ms5X3s4/ye1OjQhnv6nw
jKFWpFQwUjEaMBgGA1UEAwwRUkNEZXZzIFN1cHBvcnQgQ0ExCzAJBgNVBAsMAklU
MRowGAYDVQQKDBFSQ0RldnMgU3VwcG9ydCBTQTELMAkGA1UEBhMCTFWCFDJJtCDY
JXiTlVqxh62ME0OFoa0DMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4ICAQBx
KKUNoFFzJmIqBY7ME7ZDfNxGC4EIzBY5SpavB9itRdta0TwuZVMH/x9F0ZzooOOc
EJg7zRyRkPHRYHlTOUrXSdCrXLlhGy4qbRtDyZ57lYYFwEa57dpN3b22tHgefx5t
XR8VLt275xOWwZkBbqHRWkjnwasRt+sUJOp3yYHqzISGINh/9aUOV/sh7u3iU5cs
RwmsWRCKJRwpv2CpTT7kj6p9rYfWn3MwIzlRbj7cJWA48t+7KbLzKD7mJNzXh+C0
lC0uhww8jqnBlQNw7hNXjJOlEzG3TkNxDTym3p8xcI/jiPVZ1v8hR0wuH2T4tKjY
Akl0JFTYRPMX9hA5f+ll6DE+yt1f2E4cCkJ2ztwLEnu5FPk97na1NLr3YPIw49ZV
3XDwnnX/ClxPEKfOe6aAXYoYvd0YWJXxrq5dL8xc/qQmon9duFF+HzzW2H1lAn8X
4tcyXeWZe4DQLyFYPnStmzXcyfdmZXU2j5FVuzNoQcwmV3mj5YK+gJveCIY9dCxy
mUy1Qe1ekghrVitYVulH58B8wjLcBJA3vNHS5Y4KoaQoiNWzlFE0IHUX5tPInQD2
jIxGm1MwzoFTtlJyJsZNdlD8DDG/CZ7u6qSNj7mEpEW2BjElBsIrb5cKhHvLvapF
e44Ell/ZmjCGnDJLiUps6IfI0vZrNdWh4pfGOzoCVA==
-----END X509 CRL-----
The following command can be utilized to convert the CRL file from DER format to PEM format:
openssl crl -inform DER -in webadm1.crl.der -outform PEM -out webadm1.crl
The output of the previous command is displayed below:
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=RCDevs Documentation CA,OU=IT,O=RCDevs SA,C=LU
Last Update: Dec 14 15:45:29 2023 GMT
Next Update: Jan 13 15:45:29 2024 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:BA:C6:DD:BC:32:CE:57:DE:CE:3F:C9:ED:4E:8D:08:67:BF:A9:F0:8C
DirName:/CN=RCDevs Documentation CA/OU=IT/O=RCDevs SA/C=LU
serial:32:49:B4:20:D8:25:78:93:95:5A:B1:87:AD:8C:13:43:85:A1:AD:03
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: BA3F5DD65B864EFA98B0F4484E98471E
Revocation Date: Dec 14 15:45:28 2023 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: D4EA92954DEFA9376B9FE4158740586F
Revocation Date: Dec 14 15:45:28 2023 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: B09E8A84E19614D40B2B49235BE0D41E
Revocation Date: Dec 14 15:45:28 2023 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: D105426C2604181853CE8CAE016A3D19
Revocation Date: Dec 14 15:45:28 2023 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
71:28:a5:0d:a0:51:73:26:62:2a:05:8e:cc:13:b6:43:7c:dc:
46:0b:81:08:cc:16:39:4a:96:af:07:d8:ad:45:db:5a:d1:3c:
2e:65:53:07:ff:1f:45:d1:9c:e8:a0:e3:9c:10:98:3b:cd:1c:
91:90:f1:d1:60:79:53:39:4a:d7:49:d0:ab:5c:b9:61:1b:2e:
2a:6d:1b:43:c9:9e:7b:95:86:05:c0:46:b9:ed:da:4d:dd:bd:
b6:b4:78:1e:7f:1e:6d:5d:1f:15:2e:dd:bb:e7:13:96:c1:99:
01:6e:a1:d1:5a:48:e7:c1:ab:11:b7:eb:14:24:ea:77:c9:81:
ea:cc:84:86:20:d8:7f:f5:a5:0e:57:fb:21:ee:ed:e2:53:97:
2c:47:09:ac:59:10:8a:25:1c:29:bf:60:a9:4d:3e:e4:8f:aa:
7d:ad:87:d6:9f:73:30:23:39:51:6e:3e:dc:25:60:38:f2:df:
bb:29:b2:f3:28:3e:e6:24:dc:d7:87:e0:b4:94:2d:2e:87:0c:
3c:8e:a9:c1:95:03:70:ee:13:57:8c:93:a5:13:31:b7:4e:43:
71:0d:3c:a6:de:9f:31:70:8f:e3:88:f5:59:d6:ff:21:47:4c:
2e:1f:64:f8:b4:a8:d8:02:49:74:24:54:d8:44:f3:17:f6:10:
39:7f:e9:65:e8:31:3e:ca:dd:5f:d8:4e:1c:0a:42:76:ce:dc:
0b:12:7b:b9:14:f9:3d:ee:76:b5:34:ba:f7:60:f2:30:e3:d6:
55:dd:70:f0:9e:75:ff:0a:5c:4f:10:a7:ce:7b:a6:80:5d:8a:
18:bd:dd:18:58:95:f1:ae:ae:5d:2f:cc:5c:fe:a4:26:a2:7f:
5d:b8:51:7e:1f:3c:d6:d8:7d:65:02:7f:17:e2:d7:32:5d:e5:
99:7b:80:d0:2f:21:58:3e:74:ad:9b:35:dc:c9:f7:66:65:75:
36:8f:91:55:bb:33:68:41:cc:26:57:79:a3:e5:82:be:80:9b:
de:08:86:3d:74:2c:72:99:4c:b5:41:ed:5e:92:08:6b:56:2b:
58:56:e9:47:e7:c0:7c:c2:32:dc:04:90:37:bc:d1:d2:e5:8e:
0a:a1:a4:28:88:d5:b3:94:51:34:20:75:17:e6:d3:c8:9d:00:
f6:8c:8c:46:9b:53:30:ce:81:53:b6:52:72:26:c6:4d:76:50:
fc:0c:31:bf:09:9e:ee:ea:a4:8d:8f:b9:84:a4:45:b6:06:31:
25:06:c2:2b:6f:97:0a:84:7b:cb:bd:aa:45:7b:8e:04:96:5f:
d9:9a:30:86:9c:32:4b:89:4a:6c:e8:87:c8:d2:f6:6b:35:d5:
a1:e2:97:c6:3b:3a:02:54
You can locate the CRL requests logs in the /opt/webadm/logs/webadm.log
file after they have been downloaded.
[2023-12-13 17:30:09] [192.168.3.205:60062] New CRL request
[2023-12-13 17:30:09] [192.168.3.205:60062] Found 4 revoked certificates (cached)