Certificate revocation list

From WikiMD's Wellness Encyclopedia

Error creating thumbnail:
CRL in Windows

Template:Infobox cryptography

A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the certificate authority (CA) before their scheduled expiration date and should no longer be trusted. CRLs are a critical component of the public key infrastructure (PKI) used to manage the distribution and revocation of digital certificates.

Overview[edit | edit source]

Digital certificates are used to verify the identity of entities and to secure communications over networks such as the Internet. When a certificate is no longer trustworthy, it must be revoked to prevent misuse. Reasons for revocation include the compromise of the certificate's private key, the certificate holder's information changing, or the certificate being issued in error.

Structure[edit | edit source]

A CRL is typically issued in a format specified by the X.509 standard. It contains the following information:

  • The issuer of the CRL
  • The date the CRL was issued
  • The date the next CRL will be issued
  • A list of revoked certificates, including their serial numbers and the revocation dates
  • The reason for each revocation

Types of CRLs[edit | edit source]

There are two main types of CRLs:

  • **Full CRL**: Contains all revoked certificates issued by a CA.
  • **Delta CRL**: Contains only the certificates revoked since the last full CRL was issued.

Distribution[edit | edit source]

CRLs are distributed by the CA that issued the certificates. They can be accessed via various protocols, including HTTP, LDAP, and FTP. The location of the CRL is typically specified in the certificate itself through the CRL Distribution Points (CDP) extension.

Validation[edit | edit source]

When a certificate is presented for validation, the relying party must check the CRL to ensure the certificate has not been revoked. This process can be time-consuming, especially if the CRL is large. To address this, the Online Certificate Status Protocol (OCSP) can be used as an alternative to CRLs, providing real-time certificate status information.

Related Concepts[edit | edit source]

See also[edit | edit source]

Contributors: Prab R. Tumpati, MD