This functionality is not available in openssl’s comand line utility, so I cooked this up to do the job. The library function returns a Python list and when used as a command-line utility it returns a JSON list. You will need to install pyOpenSSL. One way to do that is “pip install pyOpenSSL”.


#!/usr/bin/env python
# -*- coding: utf-8 -*-
# vim: ai ts=4 sts=4 et sw=4


import OpenSSL
import json, sys

def get_revoked_serials(path_to_crl):
    revoked_list = []
    with open(path_to_crl, 'r') as _crl_file:
        crl = "".join(_crl_file.readlines())
    
    crl_object = OpenSSL.crypto.load_crl(OpenSSL.crypto.FILETYPE_PEM, crl)
    
    revoked_objects = crl_object.get_revoked()
    
    for rvk in revoked_objects:
        revoked_list.append(rvk.get_serial())
    return revoked_list

if __name__ == "__main__":
    if len(sys.argv)!=2:
        print "Usage: python get_revoked.py [filepath]"
        sys.exit(1)
    rs = get_revoked_serials(sys.argv[1])
    print json.dumps(rs)

And here is how you use it:

    > python get_revoked.py /opt/ca/crl/videntity-ca-crl.pem

TODO items:

  • Accept a URL or a local file path.
  • Accept an x509 certificate and follow the CRL distribution point URLs.