(1 votes, average: 5.00 out of 5)
Have you ever considered what transpires when a certificate is revoked before its expiration date, where it goes, or how it is managed? The answer to all these queries is – the Certificate Revocation List.
Suppose an SSL certificate is no longer trusted. In that case, the CA positions it in a CRL file, which functions as a mechanism that addresses the revocation of digital certificates securely and efficiently. In this article, we will explore what a CRL is, its importance, alternatives, and much more.
A Certificate Revocation List is a record containing digital certificate information that a certificate authority has invalidated prior to its planned end date.
In accordance with Internet Engineering Task Force’s (IETF) RFC 5280, the CRL is a signed data structure and time-stamped file that the issuer of the CRL or a CA periodically issues to denote the cancellation status of digital certificates. As per National Institute of Standards and Technology (NIST), it is an inventory of withdrawn public key certificates produced and digitally marked by a CA.
The certificate authorities generate CRLs at regular intervals (every hour, every day, or every week) and distribute them to relying parties. By checking the record, relying parties, such as a web browser, can confirm the validity of digital certificates before engaging in online communication.
Note: This list does not contain any information related to lapsed certificates.
Although the content included in the CRL file varies among CAs, there is some standard information that is typically listed by every CA, such as:
There are “n” number of causes behind canceling a certificate; let’s explore some of those:
The Certificate Revocation file plays a vital part in preserving the safety and reliability of digital certificates within a Public Key Infrastructure (PKI). By checking the CRL list, entities, such as web browsers and other applications, are able to confirm the present situation of digital certificates and ensure that the allocating CA has not vetoed them. This helps prevent the use of compromised certificates for malevolent objectives, such as mimicking a legitimate website or intercepting encrypted transmissions.
Besides all of this, the lack of a CRL can even uncover users to diverse cyber threats or security concerns, such as:
Before explaining the answer to this question, it would be much better to first understand what Certificate Transparency Log, also known as a CT log, is. CT is a public log of digital certificates that have been issued to a particular domain by CAs. This log contains various information, such as public key details and the issuer’s identity.
Even though both of these files (CRL and CT) work with X.509 certificate, they both have a completely different purpose and objective to accomplish. The main objective of the CT log is to allow website proprietors to observe all certificates that have been publicly issued for their respective domains in order to fend against potential malevolent entities. The CLR’s main objective is to defend PKI’s security and integrity by checking the revocation status of digital certificates and stopping website users from visiting such websites.
Apart from that, there are two observable distinctions:
There are two alternative methods to CRL for managing the cancellation of digital certificates, and those methods are:
Earlier, when you were visiting a website, your browser used to check if the digital certificate is valid or if it had been revoked and the URL had been added to the CRL. This whole process involved downloading a large list of revoked certificates that took a lot of time.
Now, instead of downloading that large list, your browser simply asks the CA or OCSP responder – whether the certificate is valid or revoked. The CA uses the “serial number” of the certificate to cross-check the details present in the CRL. Once done, it responds with a small message (OCSP response) saying whether the certificate is “good” (valid), “revoked” (no longer valid), or “unknown” (can’t be checked right now).
There is another OCSP method that is much more instantaneous and straightforward – OCSP stapling. With this method, there is no necessity for a browser to directly ask the CA for the OCSP response. The website itself incorporates its OCSP response to the certificate sent to the browser, thus making the process more efficient and improving the browsing experience.
A Delta CRL is a supplementary certificate list that records only the modifications made since the last time the main list was updated. So, instead of downloading the entire list, probing for the details in a concise and updated list is better. It’s especially valuable for institutions that often withdraw certificates, as the primary certificate list becomes lengthy, and exploring an individual URL becomes challenging.
Here are some of the drawbacks of CRL status check:
A Certificate Revocation List plays a vital role in defending the security and integrity of digital certificates within a PKI. The list contains rescinded certificate details, and relying entities use it to affirm the validity of certificates before engaging in online communication. While CRLs are a classic method of handling the cancellation of digital certificates, alternative strategies such as OCSP and Delta CRL also exist.