Skip to content

crl🔗

crl::revoked-certificate-with-crl🔗

Tests a Certificate Revocation List (CRL) that revokes a certificate.

Produces a simple test case where a certificate has been revoked by the CA through a CRL. The CA certificate and CRL are provided, and the leaf certificate is expected to be rejected due to its revoked status.

Expected result Validation kind Validation time Features Importance Conflicts
FAILURE SERVER 2024-01-01T00:00:00+00:00 has-crl high N/A
Harness Result Context
openssl-3.3.3 certificate revoked
openssl-3.5.0 certificate revoked
openssl-3.0.16 certificate revoked
gnutls-certtool-3.8.3 🚧 CRLs not supported yet
rustls-webpki CertRevoked
openssl-3.4.1 certificate revoked
openssl-3.2.4 certificate revoked
gocryptox509-go1.24.3 🚧 CRLs not supported
openssl-1.1 certificate revoked
pyca-cryptography-45.0.3 🚧 testcase skipped (explicit unsupported feature)
rust-webpki 🚧 CRLs are not supported by this API
certvalidator-0.11.1 🚧 testcase skipped (explicit unsupported feature)

crl::crlnumber-missing🔗

Tests handling of a CRL that's missing the CRLNumber extension.

Per RFC 5280 5.2.3 this extension MUST be included in a CRL.

Expected result Validation kind Validation time Features Importance Conflicts
FAILURE SERVER 1970-01-01T00:00:03+00:00 has-crl high N/A
Harness Result Context
openssl-3.3.3 ❌ (unexpected success) N/A
openssl-3.5.0 ❌ (unexpected success) N/A
openssl-3.0.16 ❌ (unexpected success) N/A
gnutls-certtool-3.8.3 🚧 CRLs not supported yet
rustls-webpki ❌ (unexpected success) N/A
openssl-3.4.1 ❌ (unexpected success) N/A
openssl-3.2.4 ❌ (unexpected success) N/A
gocryptox509-go1.24.3 🚧 CRLs not supported
openssl-1.1 ❌ (unexpected success) N/A
pyca-cryptography-45.0.3 🚧 testcase skipped (explicit unsupported feature)
rust-webpki 🚧 CRLs are not supported by this API
certvalidator-0.11.1 🚧 testcase skipped (explicit unsupported feature)

crl::certificate-not-on-crl🔗

Tests a certificate that is not present on any of the CRLs (expected pass).

Expected result Validation kind Validation time Features Importance Conflicts
SUCCESS SERVER 2024-01-01T00:00:00+00:00 has-crl high N/A
Harness Result Context
openssl-3.3.3 N/A
openssl-3.5.0 N/A
openssl-3.0.16 N/A
gnutls-certtool-3.8.3 🚧 CRLs not supported yet
rustls-webpki N/A
openssl-3.4.1 N/A
openssl-3.2.4 N/A
gocryptox509-go1.24.3 🚧 CRLs not supported
openssl-1.1 N/A
pyca-cryptography-45.0.3 🚧 testcase skipped (explicit unsupported feature)
rust-webpki 🚧 CRLs are not supported by this API
certvalidator-0.11.1 🚧 testcase skipped (explicit unsupported feature)

crl::certificate-serial-on-crl-different-issuer🔗

Tests a certificate whose serial number is found on a CRL, but that CRL has a different issuer than the certificate (expected pass).

Produces a test case where a certificate's serial number appears on a CRL, but the CRL is issued by a different CA than the one that issued the certificate. The certificate should be accepted since the CRL from a different issuer should not affect this certificate's validity.

Expected result Validation kind Validation time Features Importance Conflicts
SUCCESS SERVER 2024-01-01T00:00:00+00:00 has-crl high N/A
Harness Result Context
openssl-3.3.3 N/A
openssl-3.5.0 N/A
openssl-3.0.16 N/A
gnutls-certtool-3.8.3 🚧 CRLs not supported yet
rustls-webpki N/A
openssl-3.4.1 N/A
openssl-3.2.4 N/A
gocryptox509-go1.24.3 🚧 CRLs not supported
openssl-1.1 N/A
pyca-cryptography-45.0.3 🚧 testcase skipped (explicit unsupported feature)
rust-webpki 🚧 CRLs are not supported by this API
certvalidator-0.11.1 🚧 testcase skipped (explicit unsupported feature)

crl::crlnumber-critical🔗

Tests handling of a CRL that has a critical CRLNumber extension.

Per RFC 5280 5.2.3, the CRLNumber extension is mandatory but MUST be marked as non-critical.

Expected result Validation kind Validation time Features Importance Conflicts
FAILURE SERVER 1970-01-01T00:00:03+00:00 has-crl high N/A
Harness Result Context
openssl-3.3.3 unhandled critical CRL extension
openssl-3.5.0 unhandled critical CRL extension
openssl-3.0.16 unhandled critical CRL extension
gnutls-certtool-3.8.3 🚧 CRLs not supported yet
rustls-webpki ❌ (unexpected success) N/A
openssl-3.4.1 unhandled critical CRL extension
openssl-3.2.4 unhandled critical CRL extension
gocryptox509-go1.24.3 🚧 CRLs not supported
openssl-1.1 unhandled critical CRL extension
pyca-cryptography-45.0.3 🚧 testcase skipped (explicit unsupported feature)
rust-webpki 🚧 CRLs are not supported by this API
certvalidator-0.11.1 🚧 testcase skipped (explicit unsupported feature)