crlutil is a Go package for downloading, parsing, and validating CRLs. It is used by CRL Watch.
checkcrl is a command line tool for evaluating a single CRL or a set of partitioned CRLs using
the same logic as CRL Watch.
Note that checkcrl is NOT a linter and does not do comprehensive checks for standards compliance. It only does basic sanity checks to ensure that a CA's CRL disclosure is valid and usable. The best time to run checkcrl is when updating a CCADB disclosure, to confirm that the information you're about to disclose is correct; for checking a CRL at signing time, use a linter.
Install the checkcrl command line tool using Go 1.21 or higher:
go install software.sslmate.com/src/crlutil/cmd/checkcrl@latestcheckcrl -ca ca.pem -url http://example.com/ca.crl -file downloaded.crlParameters:
-ca: Path to the PEM-encoded CA certificate that issued the CRL (required)-url: URL where the CRL will be published (this URL is not downloaded, but is used for validating the CRL) (this URL should be byte-for-byte equal to the URL disclosed for the CA in the CCADB)-file: Path to the local CRL file to validate
checkcrl -ca ca.pem -url http://example.com/ca.crlParameters:
-ca: Path to the PEM-encoded CA certificate that issued the CRL (required)-url: URL of the CRL to download and validate (this URL should be byte-for-byte equal to the URL disclosed for the CA in the CCADB)
checkcrl -ca ca.pem -json crls.jsonParameters:
-ca: Path to the PEM-encoded CA certificate that issued the CRLs (required)-json: Path to a JSON file containing an array of CRL URLs to download and validate (the file contents should be byte-for-byte equal to the "JSON Array of Partitioned CRLs" disclosed for the CA in the CCADB)
If downloading, parsing, and validating the CRL(s) is successful, checkcrl exits with status 0 and produces no output.
Otherwise, an error is printed to stderr and checkcrl exits with a non-zero status.