from Wikipedia, the free encyclopedia

A certificate revocation list ( english list certificate revocation , CRL ) is a list that the invalidity of certificates describes. It makes it possible to determine whether a certificate has been revoked or revoked and why.

Certificates are blocked or revoked if their associated key is e.g. B. are no longer secure because they got into the wrong hands or were "cracked" - in such cases the certificate must be revoked before the actual expiry date so that the key can no longer be used. Another reason for the revocation or revocation of a certificate can be incorrect certificate content, for example in the case of a name change. Certificate revocation lists are therefore an important part of the public key infrastructure .

A lock (Engl. Hold ) is temporary and can be reversed (eg. As if you are not sure if the private key is lost / compromised, but you want to be sure), a revocation (Engl. Revocation ) is final.

Explains a certification authority (Engl. Certificate authority , CA ) a certificate (or several) to be invalid, it bears the serial number of this certificate in the Certificate Revocation List a. This is always queried when a program asks the certification authority whether a certain certificate is valid (which should be done before each use of the key).

The blacklist contains a time stamp and is itself secured by a digital signature to protect it from manipulation . Software that evaluates this blacklist can thus check whether the integrity of the blacklist is guaranteed and whether it comes from a trustworthy publisher.

The blacklist also includes a period of validity, outside of which the information in the list is no longer to be considered valid. After the validity period has been exceeded, an application should download a current version of this list from the issuing CA.

In theory, such blacklists are quite easy to create and manage, but have so far rarely been used in practice. The problem is that a program always has to ask the certification authority before using a key - which requires an internet connection . If there is no connection, the certificate cannot be checked and it is then possible that a key is used that is already known to unauthorized persons.

Structure of an X.509 v2 CRL

  • version
  • Creator of the CRL
  • Algorithm for the signature
  • Update time of the issue of this CRL
  • Update time of the issue of the next CRL
  • List of withdrawn certificates (serial number and time of revocation)
  • Extensions


By definition, blacklists are black lists and therefore cannot provide a user with any information about whether a certificate is valid. Nor can they provide information about whether a certificate has ever been issued by a certification authority.

In addition, blacklists make statements about the past; Such a list cannot be used to check whether a certificate has been revoked at any given moment.

A newer protocol for querying certificate validity is the Online Certificate Status Protocol (OCSP), which was developed to solve problems with revocation lists. OCSP implementations, however, often rely on blacklists, so that here the problems have merely been relocated.

Norms and standards

The "Internet X.509 Public Key Infrastructure" and its certificate revocation list are standardized via RFC. There is a main path (to the current RFC 5280 ) and additions:

  • RFC 2459 "Certificate and CRL Profile" from 1999. (Obsolete)
  • RFC 3280 "Certificate and Certificate Revocation List (CRL) Profile" from 2002. (Obsolete)
    • Supplement to RFC 4325 "Access Certificate Revocation List (CRL) Extension" from 2005 (obsolete).
    • Supplement to RFC 4630 "Update to DirectoryString Processing [...] (CRL) Profile" from 2006 (obsolete).
  • RFC 5280 "Certificate and Certificate Revocation List (CRL) Profile" from May 2008.
    • Addition to RFC 6818 "Updates [...] (CRL) Profile" from January 2013.
    • Addition to RFC 8398 "Internationalized Email Addresses in X.509 Certificates" from May 2018.
    • Addition to RFC 8399 "Internationalization Updates to RFC 5280" from May 2018.


Web links