Skip to content
QPKI

CRL

CRL

Section titled “CRL”

This guide covers certificate revocation and Certificate Revocation List (CRL) operations.

1. What is a CRL?

Section titled “1. What is a CRL?”

A Certificate Revocation List (CRL) is a signed list of revoked certificates published by the CA. Relying parties download the CRL to check if a certificate has been revoked.

1.1 CRL Structure in CA Directory

Section titled “1.1 CRL Structure in CA Directory”
ca/
└── crl/
    ├── ca.crl              # PEM format
    └── ca.crl.der          # DER format (for LDAP/HTTP distribution)

For multi-profile CAs, each algorithm family has its own CRL:

ca/
└── crl/
    ├── ca.ecdsa-p384.crl       # EC-signed CRL
    ├── ca.ecdsa-p384.crl.der
    ├── ca.ml-dsa-87.crl        # ML-DSA-signed CRL
    └── ca.ml-dsa-87.crl.der

2. CLI Commands

Section titled “2. CLI Commands”

cert revoke

Section titled “cert revoke”

Revoke a certificate.

Terminal window
qpki cert revoke <serial> [flags]

Flags:

FlagShortDefaultDescription
--ca-dir-d./caCA directory
--reason-runspecifiedRevocation reason
--gen-crlfalseGenerate CRL after revocation
--crl-days7CRL validity in days
--ca-passphrase""CA key passphrase

Revocation Reasons:

ReasonDescription
unspecifiedNo specific reason
keyCompromisePrivate key was compromised
caCompromiseCA key was compromised
affiliationChangedSubject’s affiliation changed
supersededReplaced by new certificate
cessationCertificate no longer needed
holdTemporary hold

Examples:

Terminal window
# Revoke by serial number
qpki cert revoke 02 --ca-dir ./myca --reason superseded


qpki cert revoke 02 --ca-dir ./myca --reason keyCompromise --gen-crl


qpki cert revoke 02 --ca-dir ./myca --gen-crl --crl-days 30

crl gen

Section titled “crl gen”

Generate a Certificate Revocation List.

Terminal window
qpki crl gen [flags]

Flags:

FlagShortDefaultDescription
--ca-dir-d./caCA directory
--days7CRL validity in days
--ca-passphrase""CA key passphrase
--algo""Algorithm family (ec, ml-dsa, etc.) - multi-profile CA only
--allfalseGenerate CRLs for all algorithm families

Examples:

Terminal window
# Generate CRL valid for 7 days
qpki crl gen --ca-dir ./myca


qpki crl gen --ca-dir ./myca --days 30


qpki crl gen --ca-dir ./myca --algo ec


qpki crl gen --ca-dir ./myca --all

crl info

Section titled “crl info”

Display detailed information about a Certificate Revocation List.

Terminal window
qpki crl info <crl-file>

Output includes:

  • Issuer name
  • This Update / Next Update timestamps
  • Signature algorithm
  • CRL Number (if present)
  • Authority Key Identifier
  • Number of revoked certificates
  • Expiry status
  • List of revoked serials with revocation date and reason

Examples:

Terminal window
# Display CRL information
qpki crl info ./ca/crl/ca.crl


qpki crl info /path/to/crl.pem

crl verify

Section titled “crl verify”

Verify the signature of a Certificate Revocation List.

Terminal window
qpki crl verify <crl-file> [flags]

Flags:

FlagDefaultDescription
--ca(required)CA certificate (PEM)
--check-expiryfalseAlso check if CRL is expired

Examples:

Terminal window
# Verify CRL signature
qpki crl verify ./ca/crl/ca.crl --ca ./ca/ca.crt


qpki crl verify ./ca/crl/ca.crl --ca ./ca/ca.crt --check-expiry

crl list

Section titled “crl list”

List all CRLs in a CA directory.

Terminal window
qpki crl list [flags]

Flags:

FlagShortDefaultDescription
--ca-dir-d./caCA directory

Output columns:

  • NAME: CRL filename
  • THIS UPDATE: When the CRL was generated
  • NEXT UPDATE: When the CRL expires
  • REVOKED: Number of revoked certificates
  • STATUS: valid or EXPIRED

Example:

Terminal window
qpki crl list --ca-dir ./myca

3. Best Practices

Section titled “3. Best Practices”

3.1 CRL Validity Period

Section titled “3.1 CRL Validity Period”
EnvironmentRecommended Validity
Development7 days
Production1-7 days
High-security1 day or less

Shorter validity periods mean faster revocation propagation but more frequent CRL regeneration.

3.2 CRL Distribution

Section titled “3.2 CRL Distribution”

Publish CRLs via:

  • HTTP (recommended): http://crl.example.com/ca.crl
  • LDAP: ldap://ldap.example.com/cn=CA,dc=example,dc=com?certificateRevocationList

3.3 CRL vs OCSP

Section titled “3.3 CRL vs OCSP”
FeatureCRLOCSP
FreshnessPeriodicReal-time
BandwidthHigher (full list)Lower (per-cert)
AvailabilityCacheableRequires responder
PrivacyClient reveals nothingClient reveals cert

For real-time revocation checking, see OCSP.

See Also

Section titled “See Also”
  • CA - Certificate Authority management
  • Certificates - Certificate issuance and verification
  • OCSP - Real-time revocation checking
  • Credentials - Credential lifecycle