Differences between NSS and OpenSSL CRLs#
NSS Certificate Revocation Lists (CRLs) and OpenSSL CRLs can be stored in the Base-64 encoded format. The only difference is between the accepted header and footer required by OpenSSL versus NSS CRLs†.
† - The Dogtag tool called PrettyPrintCrl is located in the pki-java-tools package, and reads both formats without the need for any conversion. Additionally, the NSS tool called pp can be used to read either format.
NSS CRLs#
The following is an example of an NSS CRL:
Store this CRL in a file called crl.txt.
OpenSSL CRLs#
The following is an example of an OpenSSL CRL:
Store this CRL in a file called crl.pem.
Using Dogtag to Read CRLs#
Most Dogtag Certificate System installations include the following tool to read an NSS CRL:
`` \ **``PrettyPrintCrl
``````crl.txt``**
Alternatively, a user can execute the following to read an OpenSSL CRL:
`` \ **``PrettyPrintCrl
``````crl.pem``**
In either case, this tool outputs something similar to the following:
Using NSS to Read CRLs#
The following NSS command can also be executed to read an NSS CRL:
``/usr/<lib>/nss/unsupported-tools/pp````````-t````````crl````````-i````````crl.txt````````-a``
where <lib> is either lib on 32-bit architectures, or lib64 on 64-bit architectures.
Alternatively, a user can execute the following to read an OpenSSL CRL:
``/usr/<lib>/nss/unsupported-tools/pp````````-t````````crl````````-i````````crl.pem````````-a``
where <lib> is either lib on 32-bit architectures, or lib64 on 64-bit architectures.
In either case, this tool outputs something similar to the following:
Using OpenSSL to Read and Convert CRLs#
Similarly, running the following OpenSSL command:
``openssl````````crl````````-in````````crl.pem````````-noout````````-text``
Produces the following:
Convert the PEM crl to binary (DER encoded) format:
``openssl````````crl````````-in````````crl.pem````````-out````````binary.crl````````-outform````````DER``
Read a binary CRL (will produce same output above):
``openssl````````crl````````-in````````binary.crl````````-inform````````DER````````-noout````````-text``
Convert the binary (DER encoded) crl to PEM format:
``openssl````````crl````````-in````````binary.crl````````-inform````````DER````````-out````````crl.pem``