A Certificate Revocation List (CRL) is a published list of certificates that a certificate authority has declared no longer trustworthy before their normal expiration. It matters because certificates may need to be invalidated quickly after compromise, misissuance, or ownership changes.
What is Certificate Revocation List (CRL)?
Revocation lists let relying systems check whether a certificate that would otherwise appear valid has been explicitly revoked. CRLs are one of the traditional methods used in PKI ecosystems to distribute certificate revocation status.
What Certificate Revocation List (CRL) Commonly Supports
Common uses include certificate compromise response, device certificate invalidation, internal PKI hygiene, and TLS trust status checking.
Certificate Revocation List (CRL) vs. Expiration-Only Invalidation
Expiration-only invalidation waits for a certificate to age out. CRL-based revocation allows early distrust before the expiration date arrives.
Frequently Asked Questions
Why is revocation important?
Because a compromised certificate may still be within its normal validity period and should not remain trusted.
Are CRLs the only revocation method?
No. OCSP and related approaches also provide revocation status.
