diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index 19ff3844d..acfe989a5 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -1724,6 +1724,69 @@ statistic_print(struct statistic_print_options*opt, int argc, char **argv)
     return 0;
 }
 
+/*
+ *
+ */
+
+int
+crl_sign(struct crl_sign_options *opt, int argc, char **argv)
+{
+    hx509_crl crl;
+    heim_octet_string os;
+    hx509_cert signer = NULL;
+    hx509_lock lock;
+    int ret;
+
+    hx509_lock_init(context, &lock);
+    lock_strings(lock, &opt->pass_strings);
+
+    ret = hx509_crl_alloc(context, &crl);
+    if (ret) _hx509_abort("hx509_crl_alloc");
+
+    if (opt->signer_string == NULL)
+	errx(1, "signer missing");
+
+    {
+	hx509_certs certs = NULL;
+	hx509_query *q;
+
+	ret = hx509_certs_init(context, opt->signer_string, 0,
+			       NULL, &certs);
+	if (ret)
+	    hx509_err(context, 1, ret, 
+		      "hx509_certs_init: %s", opt->signer_string);
+
+	ret = hx509_query_alloc(context, &q);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_query_alloc: %d", ret);
+
+	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+
+	ret = hx509_certs_find(context, certs, q, &signer);
+	hx509_query_free(context, q);
+	hx509_certs_free(&certs);
+	if (ret)
+	    hx509_err(context, 1, ret, "no signer certificate found");
+    }
+
+
+    hx509_crl_sign(context, signer, crl, &os);
+
+    hx509_crl_free(context, crl);
+
+    hx509_cert_free(signer);
+
+    if (opt->crl_file_string)
+	rk_dumpdata(opt->crl_file_string, os.data, os.length);
+
+    free(os.data);
+
+    return 0;
+}
+
+/*
+ *
+ */
 
 int
 help(void *opt, int argc, char **argv)