/ˌsiː.ɑːrˈɛl/
noun — "the blacklist that keeps revoked certificates in check."
CRL, short for Certificate Revocation List, is a digitally signed list of certificates that have been revoked before their scheduled expiration within a PKI system. It enables systems and applications to verify that a digital certificate is no longer trustworthy due to compromise, expiration, or policy violations, ensuring secure communications remain intact.
Technically, a CRL is generated and signed by a Certificate Authority (CA) and distributed to relying parties either periodically or on-demand. Each entry in the list includes the serial number of the revoked certificate, the revocation date, and optionally, the reason for revocation. Applications consult the CRL to validate certificates before establishing secure connections, complementing online methods like the Online Certificate Status Protocol (OCSP) for real-time checks.
Key characteristics of CRL include:
- Trust maintenance: ensures revoked certificates cannot be used maliciously.
- Signed by CA: provides authenticity and prevents tampering.
- Periodic updates: maintains current revocation status for clients and servers.
- Scalability: can handle large numbers of revoked certificates.
- Complementary to OCSP: works with online verification methods for enhanced security.
In practical workflows, network systems, web browsers, and secure applications check CRLs before trusting a certificate. Administrators ensure timely publication and distribution of CRLs to prevent security breaches caused by compromised certificates.
Conceptually, a CRL is like a “wanted list” for digital certificates, keeping compromised or invalid keys out of secure communications.
Intuition anchor: CRL ensures only trustworthy certificates are accepted, preserving the integrity of cryptographic trust.