Documentation

Creating a CRL Using the CA Certificate

  1. Log in to the server where the CA certificate is generated.
  2. Go to the cert_v3 directory. For details, see Figure 1.
    Figure 1 cert_v3 directory
  3. Create directories and files related to the CRL.
    mkdir demoCA && touch demoCA/index.txt && touch demoCA/crlnumber
  4. Use the CA certificate to revoke the signed certificate. The following uses the client certificate as an example.
    openssl ca -keyfile ca/ca.key -cert ca/ca.crt -revoke client/client.crt

  5. Generate a CRL.
    echo 01 > demoCA/crlnumber
openssl ca -gencrl -keyfile ca/ca.key -cert ca/ca.crt -out ca.crl

    Check the current directory. The generated ca.crl is the client CRL.

    For details about how to load a CRL, see (Optional) Certificate Import.

    • After a CRL is generated, delete related intermediate files and directories in a timely manner to prevent information leakage.
    • The CRL must be loaded together with the CA certificate.