Home

CRLs

A Certificate Revocation List (CRL) is a list published by a certificate authority that contains the serial numbers of digital certificates that have been revoked before their scheduled expiration and are no longer trusted. CRLs are used to help relying parties determine whether a certificate should be considered valid.

Each CRL is digitally signed by the issuing CA to ensure integrity and authenticity. It is distributed

Validation use and workflow: when software validates a certificate, it may check the issuing CA’s CRL to

Distribution considerations and limitations: CRLs can become large and must be refreshed regularly, which can introduce

Context and standards: CRLs are defined within the X.509 framework and related standards such as RFC 5280,

through
standard
channels
such
as
HTTP/HTTPS,
LDAP,
or
directory
services.
A
CRL
includes
the
issuer’s
name,
thisUpdate,
and
nextUpdate
timestamps,
and
a
list
of
revoked
certificates.
Each
entry
contains
the
certificate’s
serial
number
and
the
revocation
date,
and
may
include
optional
extensions
such
as
the
revocation
reason
(for
example,
key
compromise,
CA
compromise,
affiliation
change,
superseded,
cessation
of
operation)
and,
in
some
cases,
an
invalidity
date.
determine
if
the
certificate’s
serial
number
appears
on
the
list.
If
it
does,
the
certificate
is
considered
revoked
and
should
not
be
trusted.
Validation
can
also
involve
the
Online
Certificate
Status
Protocol
(OCSP)
as
a
real-time
alternative
or
supplement.
latency
and
bandwidth
costs.
Clients
risk
accepting
a
revoked
certificate
if
they
fail
to
fetch
the
latest
CRL
promptly
or
if
there
are
network
access
issues.
Delta
CRLs
offer
incremental
updates
to
mitigate
size,
but
still
require
coordination
with
full
CRLs.
and
are
a
common
component
of
public
key
infrastructures.