A Certificate Revocation List (CRL) is used to revoke digital security certificates. A certificate authority (CA) issues certificates to users, acting as a trusted third party. A CRL lists certificates that cannot be trusted for various reasons, including compromised private keys or changes to certificate information. CRLs have a short life expectancy due to frequent changes.
A Certificate Revocation List (CRL) is a component of the International Telecommunication Union (ITU) X.509 security standard. Under the X.509 standard, a certificate authority (CA) can use a CRL to explicitly suspend or revoke any issued, non-expired digital security certificate. The CRL is then distributed and used by various computer programs to confirm the validity of security certificates used to identify a source.
The generation of a security certificate by a CA is part of the so-called public key infrastructure (PKI). Through a PKI, any user can be identified by the public key of his security key pair, the user’s private key being the other half of the pair. A user then contacts a CA and, using his public key as identification, requests a security certificate. After verifying the user’s true identity, the CA can issue a certificate bound to the user’s public key. With this method, the CA acts as a trusted third party, guaranteeing the identity of the user to whom a certificate was issued.
A digital security certificate typically has a life span of one to two years. After the certificate expires, the user must renew his existing certificate by revalidating his identity or by requesting a new certificate outright. A certificate’s expiration date is included in the certificate itself, so computer software knows when to no longer honor an expired certificate. There are times, however, when a certificate may need to be revoked before its expiration date. For these cases, a CA must maintain a certificate revocation list that lists all certificates that have not expired but cannot be trusted for some reason.
A certificate revocation list contains a number of possible reasons for revoking a certificate. The most common is that the private key for the certificate owner is no longer secure, at which point the certificate remains on the list until its expiration date. In this case, the user must generate a new key pair and request a completely new certificate.
There are, of course, other reasons why a certificate may appear in the CRL. A certificate may be listed if it has been replaced by another or there is some change to the information contained in the certificate about its owner, or if the CA itself has been compromised, after which the same CA will appear in what is called a revocation list of authority (ARL). Another reason a certificate may appear on a CRL is because the certificate has been put on hold for some reason. In the case of a certificate indicated as held, it can be reintegrated into the next CRL distributed by the CA. The many and frequent changes to the state of digital security certificates mean that a certificate revocation list usually has a life expectancy of around 24 hours, although sometimes less.
Protect your devices with Threat Protection by NordVPN