ldapsearch -t -D cn=YOURUSERID -L -w YOURPASSWORD -b "cn=YOURISSUERINFO" "(certificateRevocationList=*)" certificateRevocationList\;binary::
Prior to GSKit version 7.0.3.17, the only place a CRL is searched for is on the configured SSLCRLHost with a "base" equal to the DN of the issuer
For GSKit version 7.0.3.17 and later, If an issuing certificate contains the CRLDistributionPoint extension it will be searched for a CRL before the server specified by SSLCRLHost. The userid and password specified via SSLCRLUserID and SSLCRLStashFile are not used when connecting to servers specified this way in the certificate chain.
If the certificate contains CDP (CRL Distribution Point) that information is given precedence. The order in which the information is used is as follows:
openssl x509 -in signer.crt -noout -text
An example LDIF:
Where /tmp/crl.der is a DER encoded CRL and can be processed by commands such as
dn: cn=testCA,o=myorg,c=US
objectclass: cRLDistributionPoint
objectclass: pkiCA
objectclass: entrustNamedObject
caCertificate;binary:< file:///tmp/CA.der
certificateRevocationList;binary:< file:///tmp/crl.der
openssl crl -inform DER -in /tmp/crl.der -text
ldapsearch -t -D cn=YOURUSERID -L -w YOURPASSWORD -b "cn=YOURISSUERINFO" "(certificateRevocationList=*)" certificateRevocationList\;binary::