Home/ Glossary/ Certificate Revocation List

Certificate Revocation List (CRL)

Security Glossary - SSL/TLS

Definition: A Certificate Revocation List is a list published by a Certificate Authority containing the serial numbers of all certificates it has revoked before their expiration date. Clients can download the CRL to check if a specific certificate has been revoked. CRLs are being replaced by OCSP and OCSP stapling for real-time revocation checking.

Why CRL Is Important

CRLs are the original mechanism for certificate revocation but have significant scalability problems. A busy CA may revoke thousands of certificates, and clients must download the entire list to check a single certificate. This wastes bandwidth and adds latency, especially on mobile networks.

Despite their limitations, CRLs still play a role. Some enterprise environments and older systems rely on CRLs. Chrome uses a compressed form called CRLSets that covers high-priority revocations. Understanding CRLs helps you understand why your certificate might still appear trusted even after revocation - if the client has not refreshed its CRL cache, it will not know the certificate was revoked.

For website operators, the practical takeaway is that revocation checking is imperfect across all mechanisms. If your private key is compromised, you should revoke the certificate through your CA, but also immediately replace it with a new one and update your server configuration. Do not rely solely on revocation to protect your users.

How to Verify

Your certificate's CRL distribution point is listed in the certificate details. An SSL checker can verify the CRL is accessible. In practice, focus on enabling OCSP stapling rather than worrying about CRL configuration, since most modern clients prefer OCSP.

Check SSL Certificate

Common Questions About CRL

Are CRLs still used?
CRLs are still published by CAs and used by some enterprise systems, but modern browsers have largely moved to OCSP or proprietary revocation mechanisms like Chrome's CRLSets. CRLs remain important for non-browser TLS clients.
How often are CRLs updated?
This varies by CA but is typically every few hours to every few days. The 'Next Update' field in the CRL specifies when a fresh version will be published. During this interval, newly revoked certificates may still appear valid to clients using a cached CRL.

See Also

Online Certificate Status Protocol OCSP Stapling Certificate Authority SSL/TLS Certificate SSL Certificate Expiry
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.