The certificate revocation list (CRL) is a signed list that is published and maintained by each certification authority (CA) that lists all of its revoked certificates that are still within their validity dates. When a CA revokes a certificate, the CA administrator (CAA) prepares a new CRL and posts it to the directory server. The CRL has additional fields, including the reason for revocation and the date and time of the next update. When a consumer requests access to a resource, the resource can allow or deny access based on the CRL entry for the issuer of the certificate of that particular consumer.
Figure 1 - An example of a CRL being consumed by a certificate revocation service.
Figure 1 illustrates a CRL checking process that checks the serial number of a certificate against the certificate issuer’s CRL. If the certificate’s serial appears on the CRL, it means it is revoked. For example, certificates may be revoked if the owner’s private key has been lost, has left the company or agency, or their name changes. CRLs document the historical revocation status of certificates so that, for instance, a dated signature may be presumed to be valid if the signature date was within the validity period of the certificate, and the current CRL of the issuing CA at that date did not show the certificate to be revoked.