Author image Dominique Quatravaux

NAME - Example code to make RFC3280-compliant CRLv2s with Crypt::OpenSSL::CA


The test private keys and certificates are assumed to be generated already. See in the same directory to see how to do that.

Issuer coordinates

The issuer DN and key identifiers are taken directly from the CA certificate.

CRL Number

Long ASN1 integers are supported.


First things first.

Global CRL settings

CRL dates are supported using the dual ASN.1 date format in conformance with RFC3280 sections and

RFC3280 section now makes v2 for CRLs mandatory; not coincidentally, this is the default in Crypt::OpenSSL::CA. The authorityKeyIdentifier and crlNumber extensions are also mandatory. authorityKeyIdentifier MUST NOT be critical as per section, while crlNumber MUST be as per

Just for fun, we add a freshestCRL extension as per RFC3280 section 5.2.6; the corresponding delta CRL is issued below, see "DELTA CRL".

Revoked Certificates List

In order of appearance: a CRLv1-like unadorned entry, an entry with unspecified revocation reason, an entry for a certificate that was put on hold (that is removed by the delta-CRL, see below), and an entry for a certificate whose key was compromised (with a compromiseTime set). Notice that the CRL entries are in no particular order.

All done

Now we just have to sign the CRL.


Just because we can.

Revoked Certificates List

We add a revoked certificate to the CRL, and remove the hold instruction from certificate 0x42.

All done

Now we just have to sign the CRL.