Differences between NSS and OpenSSL CRLs

NSS Certificate Revocation Lists (CRLs) and OpenSSL CRLs can be stored in the Base-64 encoded format. The only difference is between the accepted header and footer required by OpenSSL versus NSS CRLs^†.

^† - The Dogtag tool called PrettyPrintCrl is located in the pki-java-tools package, and reads both formats without the need for any conversion. Additionally, the NSS tool called pp can be used to read either format.

NSS CRLs

The following is an example of an NSS CRL:

``   \ **—–BEGIN CERTIFICATE REVOCATION LIST—–``**

``   MIIBmDCBgQIBATANBgkqhkiG9w0BAQUFADA/MR0wGwYDVQQKExRVc2Vyc3lzUmVk``

``   aGF0IERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5Fw0wODAz``

``   MjYxOTMzMDJaFw0wODAzMjYyMzMzMDJaoA4wDDAKBgNVHRQEAwIBHDANBgkqhkiG``

``   9w0BAQUFAAOCAQEAK5w0zCzwtrIQaaTl8oF8TBFd+1ZSFar1Ue30OYd+ksSqzlMg``

``   finc3qhKQxtem1vOwCgx4FO0/guHazRj/YLtMF4WhSSdM3qnTNKmJIv2aLhJh89C``

``   oaObh0kXtvVr5QohTQKuEkg3iqyauEBZ1VRhdojAWFRNt43Zd6WIkyYwa8PzKGWb``

``   HsJ1aLhOBFveoUqEFpKrUb+aDEfPgSIKJJomjH12Qg3NQzRILuqVIcWwrlHr6W+v``

``   pHuHOdgtOJoT+Qe+fw2OgPtsgk72mgSfTRmVBWmnI48XwdyO9O5xscH1MWxxpW2K``

``   7OkC/YzU/QKuIfW8c6Rr009fKFDwrixf4wIj0Q==``

``   \ **—–END CERTIFICATE REVOCATION LIST—–``**

Store this CRL in a file called crl.txt.

OpenSSL CRLs

The following is an example of an OpenSSL CRL:

``   \ **—–BEGIN X509 CRL—–``**

``   MIIBmDCBgQIBATANBgkqhkiG9w0BAQUFADA/MR0wGwYDVQQKExRVc2Vyc3lzUmVk``

``   aGF0IERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5Fw0wODAz``

``   MjYxOTMzMDJaFw0wODAzMjYyMzMzMDJaoA4wDDAKBgNVHRQEAwIBHDANBgkqhkiG``

``   9w0BAQUFAAOCAQEAK5w0zCzwtrIQaaTl8oF8TBFd+1ZSFar1Ue30OYd+ksSqzlMg``

``   finc3qhKQxtem1vOwCgx4FO0/guHazRj/YLtMF4WhSSdM3qnTNKmJIv2aLhJh89C``

``   oaObh0kXtvVr5QohTQKuEkg3iqyauEBZ1VRhdojAWFRNt43Zd6WIkyYwa8PzKGWb``

``   HsJ1aLhOBFveoUqEFpKrUb+aDEfPgSIKJJomjH12Qg3NQzRILuqVIcWwrlHr6W+v``

``   pHuHOdgtOJoT+Qe+fw2OgPtsgk72mgSfTRmVBWmnI48XwdyO9O5xscH1MWxxpW2K``

``   7OkC/YzU/QKuIfW8c6Rr009fKFDwrixf4wIj0Q==``

``   \ **—–END X509 CRL—–``**

Store this CRL in a file called crl.pem.

Using Dogtag to Read CRLs

Most Dogtag Certificate System installations include the following tool to read an NSS CRL:

``   ````PrettyPrintCrl crl.txt``

Alternatively, a user can execute the following to read an OpenSSL CRL:

``   ````PrettyPrintCrl crl.pem``

In either case, this tool outputs something similar to the following:

``   Certificate Revocation List:``

``       Data:``

``           Version:  v2``

``           Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5``

``           Issuer: CN=Certificate Authority,O=UsersysRedhat Domain``

``           This Update: Wednesday, March 26, 2008 12:33:02 PM PDT America/Los_Angeles``

``           Next Update: Wednesday, March 26, 2008 4:33:02 PM PDT America/Los_Angeles``

``           Revoked Certificates:``

``       Extensions:``

``           Identifier: CRL Number - 2.5.29.20``

``               Critical: no``

``               Number: 28``

``       Signature:``

``           Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5``

``           Signature:``

``               2B:9C:34:CC:2C:F0:B6:B2:10:69:A4:E5:F2:81:7C:4C:``

``               11:5D:FB:56:52:15:AA:F5:51:ED:F4:39:87:7E:92:C4:``

``               AA:CE:53:20:7E:29:DC:DE:A8:4A:43:1B:5E:9B:5B:CE:``

``               C0:28:31:E0:53:B4:FE:0B:87:6B:34:63:FD:82:ED:30:``

``               5E:16:85:24:9D:33:7A:A7:4C:D2:A6:24:8B:F6:68:B8:``

``               49:87:CF:42:A1:A3:9B:87:49:17:B6:F5:6B:E5:0A:21:``

``               4D:02:AE:12:48:37:8A:AC:9A:B8:40:59:D5:54:61:76:``

``               88:C0:58:54:4D:B7:8D:D9:77:A5:88:93:26:30:6B:C3:``

``               F3:28:65:9B:1E:C2:75:68:B8:4E:04:5B:DE:A1:4A:84:``

``               16:92:AB:51:BF:9A:0C:47:CF:81:22:0A:24:9A:26:8C:``

``               7D:76:42:0D:CD:43:34:48:2E:EA:95:21:C5:B0:AE:51:``

``               EB:E9:6F:AF:A4:7B:87:39:D8:2D:38:9A:13:F9:07:BE:``

``               7F:0D:8E:80:FB:6C:82:4E:F6:9A:04:9F:4D:19:95:05:``

``               69:A7:23:8F:17:C1:DC:8E:F4:EE:71:B1:C1:F5:31:6C:``

``               71:A5:6D:8A:EC:E9:02:FD:8C:D4:FD:02:AE:21:F5:BC:``

``               73:A4:6B:D3:4F:5F:28:50:F0:AE:2C:5F:E3:02:23:D1``

Using NSS to Read CRLs

The following NSS command can also be executed to read an NSS CRL:

``/usr/<lib>/nss/unsupported-tools/pp -t crl -i crl.txt -a``

where <lib> is either lib on 32-bit architectures, or lib64 on 64-bit architectures.

Alternatively, a user can execute the following to read an OpenSSL CRL:

``/usr/<lib>/nss/unsupported-tools/pp -t crl -i crl.pem -a``

where <lib> is either lib on 32-bit architectures, or lib64 on 64-bit architectures.

In either case, this tool outputs something similar to the following:

``   CRL:``

``       Data:``

``           Version: 2 (0x1)``

``           Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption``

``           Issuer: “CN=Certificate Authority,O=UsersysRedhat Domain”``

``           This Update: Wed Mar 26 19:33:02 2008``

``           Next Update: Wed Mar 26 23:33:02 2008``

``           CRL Extensions:``

``               Name: CRL Number``

``               Data: 28 (0x1c)``

``   ``

``       Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption``

``       Signature:``

``           2b:9c:34:cc:2c:f0:b6:b2:10:69:a4:e5:f2:81:7c:4c:``

``           11:5d:fb:56:52:15:aa:f5:51:ed:f4:39:87:7e:92:c4:``

``           aa:ce:53:20:7e:29:dc:de:a8:4a:43:1b:5e:9b:5b:ce:``

``           c0:28:31:e0:53:b4:fe:0b:87:6b:34:63:fd:82:ed:30:``

``           5e:16:85:24:9d:33:7a:a7:4c:d2:a6:24:8b:f6:68:b8:``

``           49:87:cf:42:a1:a3:9b:87:49:17:b6:f5:6b:e5:0a:21:``

``           4d:02:ae:12:48:37:8a:ac:9a:b8:40:59:d5:54:61:76:``

``           88:c0:58:54:4d:b7:8d:d9:77:a5:88:93:26:30:6b:c3:``

``           f3:28:65:9b:1e:c2:75:68:b8:4e:04:5b:de:a1:4a:84:``

``           16:92:ab:51:bf:9a:0c:47:cf:81:22:0a:24:9a:26:8c:``

``           7d:76:42:0d:cd:43:34:48:2e:ea:95:21:c5:b0:ae:51:``

``           eb:e9:6f:af:a4:7b:87:39:d8:2d:38:9a:13:f9:07:be:``

``           7f:0d:8e:80:fb:6c:82:4e:f6:9a:04:9f:4d:19:95:05:``

``           69:a7:23:8f:17:c1:dc:8e:f4:ee:71:b1:c1:f5:31:6c:``

``           71:a5:6d:8a:ec:e9:02:fd:8c:d4:fd:02:ae:21:f5:bc:``

``           73:a4:6b:d3:4f:5f:28:50:f0:ae:2c:5f:e3:02:23:d1``

``       Fingerprint (MD5):``

``           16:76:23:6A:BD:F8:8B:03:52:45:53:2F:FA:B8:1E:21``

``       Fingerprint (SHA1):``

``           0C:3D:57:C3:D6:06:87:1A:EA:8B:27:66:40:CD:31:90:F9:A1:AE:AC``

Using OpenSSL to Read and Convert CRLs

Similarly, running the following OpenSSL command:

``openssl crl -in crl.pem -noout -text``

Produces the following:

``   Certificate Revocation List (CRL):``

``           Version 2 (0x1)``

``           Signature Algorithm: sha1WithRSAEncryption``

``           Issuer: /O=UsersysRedhat Domain/CN=Certificate Authority``

``           Last Update: Mar 26 19:33:02 2008 GMT``

``           Next Update: Mar 26 23:33:02 2008 GMT``

``           CRL extensions:``

``               X509v3 CRL Number: ``

``                   28``

``   No Revoked Certificates.``

``       Signature Algorithm: sha1WithRSAEncryption``

``           2b:9c:34:cc:2c:f0:b6:b2:10:69:a4:e5:f2:81:7c:4c:11:5d:``

``           fb:56:52:15:aa:f5:51:ed:f4:39:87:7e:92:c4:aa:ce:53:20:``

``           7e:29:dc:de:a8:4a:43:1b:5e:9b:5b:ce:c0:28:31:e0:53:b4:``

``           fe:0b:87:6b:34:63:fd:82:ed:30:5e:16:85:24:9d:33:7a:a7:``

``           4c:d2:a6:24:8b:f6:68:b8:49:87:cf:42:a1:a3:9b:87:49:17:``

``           b6:f5:6b:e5:0a:21:4d:02:ae:12:48:37:8a:ac:9a:b8:40:59:``

``           d5:54:61:76:88:c0:58:54:4d:b7:8d:d9:77:a5:88:93:26:30:``

``           6b:c3:f3:28:65:9b:1e:c2:75:68:b8:4e:04:5b:de:a1:4a:84:``

``           16:92:ab:51:bf:9a:0c:47:cf:81:22:0a:24:9a:26:8c:7d:76:``

``           42:0d:cd:43:34:48:2e:ea:95:21:c5:b0:ae:51:eb:e9:6f:af:``

``           a4:7b:87:39:d8:2d:38:9a:13:f9:07:be:7f:0d:8e:80:fb:6c:``

``           82:4e:f6:9a:04:9f:4d:19:95:05:69:a7:23:8f:17:c1:dc:8e:``

``           f4:ee:71:b1:c1:f5:31:6c:71:a5:6d:8a:ec:e9:02:fd:8c:d4:``

``           fd:02:ae:21:f5:bc:73:a4:6b:d3:4f:5f:28:50:f0:ae:2c:5f:``

``           e3:02:23:d1``

Convert the PEM crl to binary (DER encoded) format:

``openssl crl -in crl.pem -out binary.crl -outform DER``

Read a binary CRL (will produce same output above):

``openssl crl -in binary.crl -inform DER -noout -text``

Convert the binary (DER encoded) crl to PEM format:

``openssl crl -in binary.crl -inform DER -out crl.pem``

Category:Tech Notes