Skip to content

crl🔗

crl::revoked-certificate-with-crl🔗

Tests a Certificate Revocation List (CRL) that revokes a certificate.

Produces a simple test case where a certificate has been revoked by the CA through a CRL. The CA certificate and CRL are provided, and the leaf certificate is expected to be rejected due to its revoked status.

Expected result Validation kind Validation time Features Importance Conflicts
FAILURE SERVER 2024-01-01T00:00:00+00:00 has-crl high N/A
Harness Result Context
openssl-3.2.4 certificate revoked
gnutls-certtool-3.8.3 🚧 CRLs not supported yet
openssl-3.4.1 certificate revoked
openssl-1.1 certificate revoked
rustls-webpki CertRevoked
openssl-3.5.0 certificate revoked
rust-webpki 🚧 CRLs are not supported by this API
certvalidator-0.11.1 🚧 testcase skipped (explicit unsupported feature)
pyca-cryptography-45.0.4 🚧 testcase skipped (explicit unsupported feature)
openssl-3.3.3 certificate revoked
gocryptox509-go1.24.4 🚧 CRLs not supported
openssl-3.0.16 certificate revoked

crl::crlnumber-missing🔗

Tests handling of a CRL that's missing the CRLNumber extension.

Per RFC 5280 5.2.3 this extension MUST be included in a CRL.

Expected result Validation kind Validation time Features Importance Conflicts
FAILURE SERVER 1970-01-01T00:00:03+00:00 has-crl high N/A
Harness Result Context
openssl-3.2.4 ❌ (unexpected success) N/A
gnutls-certtool-3.8.3 🚧 CRLs not supported yet
openssl-3.4.1 ❌ (unexpected success) N/A
openssl-1.1 ❌ (unexpected success) N/A
rustls-webpki ❌ (unexpected success) N/A
openssl-3.5.0 ❌ (unexpected success) N/A
rust-webpki 🚧 CRLs are not supported by this API
certvalidator-0.11.1 🚧 testcase skipped (explicit unsupported feature)
pyca-cryptography-45.0.4 🚧 testcase skipped (explicit unsupported feature)
openssl-3.3.3 ❌ (unexpected success) N/A
gocryptox509-go1.24.4 🚧 CRLs not supported
openssl-3.0.16 ❌ (unexpected success) N/A

crl::certificate-not-on-crl🔗

Tests a certificate that is not present on any of the CRLs (expected pass).

Expected result Validation kind Validation time Features Importance Conflicts
SUCCESS SERVER 2024-01-01T00:00:00+00:00 has-crl high N/A
Harness Result Context
openssl-3.2.4 N/A
gnutls-certtool-3.8.3 🚧 CRLs not supported yet
openssl-3.4.1 N/A
openssl-1.1 N/A
rustls-webpki N/A
openssl-3.5.0 N/A
rust-webpki 🚧 CRLs are not supported by this API
certvalidator-0.11.1 🚧 testcase skipped (explicit unsupported feature)
pyca-cryptography-45.0.4 🚧 testcase skipped (explicit unsupported feature)
openssl-3.3.3 N/A
gocryptox509-go1.24.4 🚧 CRLs not supported
openssl-3.0.16 N/A

crl::certificate-serial-on-crl-different-issuer🔗

Tests a certificate whose serial number is found on a CRL, but that CRL has a different issuer than the certificate (expected pass).

Produces a test case where a certificate's serial number appears on a CRL, but the CRL is issued by a different CA than the one that issued the certificate. The certificate should be accepted since the CRL from a different issuer should not affect this certificate's validity.

Expected result Validation kind Validation time Features Importance Conflicts
SUCCESS SERVER 2024-01-01T00:00:00+00:00 has-crl high N/A
Harness Result Context
openssl-3.2.4 N/A
gnutls-certtool-3.8.3 🚧 CRLs not supported yet
openssl-3.4.1 N/A
openssl-1.1 N/A
rustls-webpki N/A
openssl-3.5.0 N/A
rust-webpki 🚧 CRLs are not supported by this API
certvalidator-0.11.1 🚧 testcase skipped (explicit unsupported feature)
pyca-cryptography-45.0.4 🚧 testcase skipped (explicit unsupported feature)
openssl-3.3.3 N/A
gocryptox509-go1.24.4 🚧 CRLs not supported
openssl-3.0.16 N/A

crl::crlnumber-critical🔗

Tests handling of a CRL that has a critical CRLNumber extension.

Per RFC 5280 5.2.3, the CRLNumber extension is mandatory but MUST be marked as non-critical.

Expected result Validation kind Validation time Features Importance Conflicts
FAILURE SERVER 1970-01-01T00:00:03+00:00 has-crl high N/A
Harness Result Context
openssl-3.2.4 unhandled critical CRL extension
gnutls-certtool-3.8.3 🚧 CRLs not supported yet
openssl-3.4.1 unhandled critical CRL extension
openssl-1.1 unhandled critical CRL extension
rustls-webpki ❌ (unexpected success) N/A
openssl-3.5.0 unhandled critical CRL extension
rust-webpki 🚧 CRLs are not supported by this API
certvalidator-0.11.1 🚧 testcase skipped (explicit unsupported feature)
pyca-cryptography-45.0.4 🚧 testcase skipped (explicit unsupported feature)
openssl-3.3.3 unhandled critical CRL extension
gocryptox509-go1.24.4 🚧 CRLs not supported
openssl-3.0.16 unhandled critical CRL extension