What Is CRL? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
A Certificate Revocation List (CRL) is like a blacklist of untrusted digital IDs. When a certificate is no longer valid-because it was compromised or the owner left the company-the CA adds it to the CRL. Systems check this list to decide whether to trust a certificate.
Commonly Confused With
OCSP (Online Certificate Status Protocol) checks a certificate's revocation status in real-time by querying an OCSP responder, rather than downloading a list. CRL is a batch process; OCSP is a request-response process. OCSP can also specify the 'good' status, while CRL only tells you if a certificate is revoked (absence from the list does not guarantee goodness if the list is stale).
CRL is like checking a daily printed list of expelled students; OCSP is like calling the school office right now to ask about one specific student.
Certificate Revocation is the action of invalidating a certificate by the CA. CRL is the mechanism used to distribute that information. You can revoke a certificate without a CRL (e.g., by using OCSP), but a CRL is useless without having revocation events to list.
Revoking a certificate is like canceling a credit card. Publishing the CRL is like sending the canceled card number to the merchant's blacklist. They are two different steps but linked.
Expiration is the natural end of a certificate's validity period, set at issuance. Revocation is an early termination. CRL only lists revoked certificates, not expired ones. Expired certificates are invalid due to time, not due to a security event.
An expired passport is automatically invalid after its expiry date. A revoked passport is valid by date but has been deliberately canceled due to loss or theft. CRL only deals with the revoked ones.
Must Know for Exams
CRL is a core objective in the CompTIA Security+ (SY0-601 and SY0-701) exam under Domain 3 (Cryptography) and Domain 4 (Identity and Access Management). The exam expects you to understand not just what a CRL is, but how it fits into the PKI lifecycle: certificate generation, distribution, revocation, and renewal. You need to know that revocation happens before expiration, and that the CRL is the list that records it.
For CompTIA Security+ specifically, you must be able to differentiate between CRL and OCSP. The exam loves this comparison. You should know that CRL is a list-based, periodic, offline method, while OCSP is a real-time, query-based, online method. Questions often ask: "Which of the following is a disadvantage of using a CRL?" The correct answer is usually "latency" or "size" or "the window of vulnerability." You should also know that the CRL is signed by the CA, and that clients check the CDP extension to find the CRL URL.
Beyond Security+, CRL appears in other exams like CISSP (Domain 4: Cryptography) and Network+ (Domain 5: Network Security). In those exams, questions might involve scenario-based troubleshooting. For example: "A user cannot access a secure website. The browser displays a warning that the certificate has been revoked. The IT team checks the CA and the certificate is not on the CRL. What is the most likely issue?" Answer: The CRL might not have been updated yet, or the browser is checking an old cached CRL.
In multiple-choice questions, traps often revolve around confusing CRL with other PKI concepts like certificate signing request (CSR), private key, or digital signature. Another common trap is thinking that CRL contains all certificates issued by the CA (it only contains revoked ones). Exam takers also need to remember that CRL does not provide real-time status; that's OCSP. Flash cards and memory tricks for the acronym 'CRL' can help: think 'Certificate Revocation List-Like a Blacklist'.
Simple Meaning
Imagine you are a bouncer at a very secure club. Every member has an official ID card issued by the club's management. That ID card is like a digital certificate-it proves who you are and that you're allowed in. But sometimes, a member loses their card, or they get fired, or they do something that means they should no longer be trusted. The club management can't just run after every member to take their card back. Instead, they print a list every morning called the "People to Deny Entry" list. This list contains the names and ID numbers of everyone who used to be trusted but is not anymore.
That printed list is the CRL. As bouncer, you don't just look at the ID card; you also check the daily list. If the ID card looks perfect but the number is on the list, you deny entry. In the digital world, a Certificate Authority (CA) issues certificates to websites, servers, or users to prove their identity. But certificates can expire, get hacked, or be issued by mistake. The CA publishes a CRL that lists the serial numbers of all those bad certificates. Any computer or browser that wants to check a certificate first downloads the CRL (or checks a cached copy) to see if that certificate has been blacklisted. If the serial number is on the CRL, the computer rejects the connection, just like you would reject the club member on the list.
This process isn't instant. The CRL is published on a schedule-maybe every hour, day, or week. So there is a window of time between when a certificate is revoked and when the list is updated and shared. That's one reason newer systems also use faster methods like OCSP (Online Certificate Status Protocol). But for many basic security setups and for exam questions, CRL is the classic, reliable way to distribute revocation information.
Full Technical Definition
A Certificate Revocation List (CRL) is a time-stamped, signed data structure defined by the ITU-T X.509 standard (specifically RFC 5280) that enumerates digital certificates that have been revoked by a Certificate Authority (CA) prior to their natural expiration. The CRL is created and digitally signed by the CA to prevent tampering. It contains the serial numbers of revoked certificates, the date of revocation, and optionally, the reason for revocation (e.g., key compromise, CA compromise, affiliation changed, superseded, cessation of operation, or certificate hold).
The CRL is published by the CA at regular intervals, often every hour, day, or week, depending on the CA's policy. The CRL distribution point (CDP) is a URI embedded in each certificate (in the CDP extension) that tells clients where to fetch the current CRL. When a relying party (such as a web browser or an email client) validates a certificate, it performs a CRL check: it downloads the latest CRL from the designated URL, verifies the CA's digital signature on the CRL, and then searches for the serial number of the certificate in question. If the serial number is found, the certificate is considered revoked and the connection fails or a warning is displayed.
CRLs come in two main types: full CRLs (which list all revoked certificates from the CA) and delta CRLs (which list only changes since the last full CRL, reducing bandwidth usage). Multiple CRLs can exist for a single CA, sometimes segmented by reason or by issuing authority within a hierarchy. The CRL does not contain every certificate the CA has ever issued; it only lists those that have been revoked. Expired certificates are not listed on the CRL because they are already invalid by time.
One of the key limitations of CRLs is their size and latency. In large PKI environments (like enterprise networks with thousands of devices), a CRL can become enormous, straining network bandwidth and client processing time. The periodic update model means there is always a window where a revoked certificate is still trusted. For this reason, many modern systems use Online Certificate Status Protocol (OCSP), which checks revocation status in real-time. However, CRLs remain a fundamental concept in PKI and are frequently tested in certification exams like CompTIA Security+. Understanding CRLs, their structure, how they are distributed, and their weaknesses is essential for anyone working with digital certificates, HTTPS, smart cards, or code signing.
Real-Life Example
Think of a university student ID system. At the start of each semester, the university issues ID cards to all enrolled students. These cards have an expiration date (the end of the semester). They are like digital certificates. But things happen during the semester. A student drops out, gets expelled, or loses their ID. The university can't physically take back every card. Instead, the campus security office prints a "Revoked IDs" list every Monday. This list has the ID numbers of every student who has lost their privileges.
Now, imagine you are a librarian at the university library. A student walks in and swipes their ID to borrow a laptop. The system does not just check whether the card is physically valid or not expired. It also checks the Monday list. If the student's ID number appears on that list, the system refuses the loan, even if the card itself is still good for another month. That list is the CRL.
The IT parallel: The university is the Certificate Authority (CA). The student ID is the digital certificate. The ID number is the certificate serial number. The Monday list is the CRL. The library computer (the client) has to periodically download and check the list before trusting the swipe. If the student drops out on a Tuesday, their ID number will not be on the list until the following Monday. That gap is the vulnerability window. In the digital world, that window can be exploited if someone uses a stolen certificate before the CRL is updated.
This analogy also explains why a CRL can be large and slow. If the university has 30,000 students but only 15 have lost their IDs this week, the list is still manageable. But if it's a huge university with hundreds of thousands of students, the list can get massive. Downloading that list every time you borrow a book would be impractical. So the library might cache the list for a day, but then it risks using stale data. That's exactly the trade-off PKI administrators face with CRLs.
Why This Term Matters
CRLs matter because the security of any PKI system relies on the ability to revoke trust instantly when a certificate is compromised. Without revocation, a stolen certificate would remain valid until its natural expiration, which could be years. Attackers could use a stolen web server certificate to impersonate a legitimate website, or use a stolen code-signing certificate to distribute malware that appears signed by a trusted vendor.
In practical IT, CRLs are used everywhere: in web browsers checking HTTPS certificates, in email encryption (S/MIME), in software updates (code signing), in VPN authentication, and in smart card logon for enterprises. When a system administrator notices that a certificate was issued incorrectly, or a private key was exposed, they must revoke the certificate immediately. The CRL is the mechanism that communicates that revocation to every client that interacts with that certificate.
However, the CRL model has real-world problems that matter to IT professionals. CRLs can be too large to download on slow networks, causing validation failures and user frustration. If a client cannot download the CRL (due to network issues or a misconfigured CDP URL), some security policies may treat that as a failure and block the connection, while others may allow the connection with a warning. Misconfigured CDP extensions are a common cause of certificate verification errors. Also, because CRLs are updated periodically, there is a known latency problem. Attackers can exploit that window. For these reasons, many organizations supplement CRLs with OCSP, which provides real-time status. But CRLs remain a required fallback and a core concept for exam preparation.
How It Appears in Exam Questions
Exam questions about CRL typically fall into three categories: comparison questions, scenario-based troubleshooting questions, and definition/comprehension questions.
Comparison questions ask you to select the best method for a given situation. For example: "A company needs to check certificate revocation status for a high-traffic e-commerce site. They want to minimize bandwidth and provide real-time results. Which should they use?" Correct answer: OCSP. Distractor: CRL. Another variant: "Which of the following describes a CRL?" with options like "a list of all issued certificates" (wrong), "a list of expired certificates" (wrong), or "a list of revoked certificates" (correct).
Scenario-based questions often present a network problem: "A web server's private key was compromised, and the administrator revoked the certificate. However, users can still access the site without warnings for the next six hours. Why?" The answer is that the CRL is updated only every 6 hours, so clients are still using the old, safe list. Another scenario: "A certificate validation fails with an error 'CRL not available'. What should the administrator check?" The answer involves the CDP extension in the certificate and whether the CRL URL is reachable.
Troubleshooting questions may ask: "A user reports that their browser cannot connect to an HTTPS site. The certificate is valid and not expired. A certificate path check shows that the CRL distribution point is unreachable. Which of the following is the most likely result?" The correct answer is that the browser may either fail the connection (depending on security policy) or display a warning. Some browsers soft-fail if the CRL is temporarily unavailable, but strict security policies will hard-fail.
Configuration-type questions might ask: "An administrator is deploying a new internal PKI. They want to reduce the window of vulnerability for revocation. Which of the following is the best combination?" Answer: Use delta CRLs and set a more frequent CRL publication interval. Or: Use OCSP alongside CRL.
The exam also tests the concept of 'freshness', that is, how current the CRL is. A question could state: "The CRL has a nextUpdate field of 01/01/2025. Today is 01/02/2025. What does this mean?" Answer: The CRL is stale and should not be trusted until a new one is downloaded.
Practise CRL Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a system administrator for a mid-sized company, XYZ Corp. The company uses digital certificates to secure its internal web applications and email system. One day, you get an urgent call: the laptop of a senior finance manager has been stolen. That laptop had a client authentication certificate installed, which allowed the manager to log into the company's financial system securely. You need to make sure that certificate can never be used by the thief.
You access your internal Certificate Authority's management console. You find the certificate by its serial number and click 'Revoke'. The CA immediately marks that certificate as revoked in its database. However, revoking it in the database is not enough; you need to tell every server in the company to stop trusting it. The CA is configured to generate a new CRL every 24 hours at midnight. You just revoked the certificate at 10:00 AM. That means for the next 14 hours, any server that checks the CRL will see the old version, which does not include the stolen certificate. If the thief tries to authenticate to the financial system at 2:00 PM, the server checks the CRL, does not find the serial number, and grants access.
To minimize this risk, you decide to change the CRL publication interval to every hour, and you also enable delta CRLs, so that clients only download the small list of recent changes. You configure the financial system to use OCSP as a primary check, falling back to CRL only if OCSP is unavailable. This scenario highlights the practical latency challenge of CRLs and why administrators must design their PKI for both security and usability. It also shows that CRL alone is often not enough; you need to understand when and how to combine it with other methods.
Common Mistakes
Thinking that CRL contains all certificates ever issued by the CA.
The CRL only contains certificates that have been revoked before their expiration. Expired certificates are not listed. The CRL would be huge if it included all issued certificates forever.
Think of CRL as a 'blacklist' only for revoked certificates, not as a full directory.
Believing that CRL provides real-time revocation status.
CRLs are published on a schedule (hourly, daily, etc.). There is always a delay between revocation and when the list is updated. Real-time status requires OCSP.
Remember the 'L' in CRL stands for 'List', a list is a snapshot in time, not a live status.
Assuming that a certificate not found on the CRL is automatically valid.
A certificate could be absent from the CRL simply because the CRL is outdated or the client could not download it. Also, the certificate could be expired, which is not indicated on the CRL.
Check the certificate's validity period and the CRL's freshness (nextUpdate field). If the CRL is stale, the certificate status is unknown.
Confusing CRL with Certificate Revocation (the act of revocation).
Revocation is the action taken by the CA. CRL is the list that communicates the revocation. They are different steps.
The CA revokes the certificate (action) and then publishes the revocation on the CRL (communication).
Thinking that a CRL is always a single file for an entire CA.
A CA can have multiple CRLs, such as segmented CRLs by reason code, or separate CRLs for different subordinate CAs. Delta CRLs are also distinct from full CRLs.
Understand that CRLs can be hierarchical and segmented. The CDP extension in the certificate tells the client exactly which CRL URL to fetch.
Exam Trap — Don't Get Fooled
{"trap":"The exam presents a scenario where a certificate is revoked, but the CRL has not yet been updated. The question asks: 'Why is the certificate still being accepted by clients?' The learner chooses 'Because the CRL is not signed by the CA.'
","why_learners_choose_it":"Learners might think that if the CRL is not properly signed, it will be rejected, so clients trust the certificate. But the actual reason is the CRL update interval.","how_to_avoid_it":"Always remember: The issue with CRLs is latency, not signature validity.
The CRL is almost always signed properly. The problem is timing. Focus on the word 'periodic' in your mental model."
Step-by-Step Breakdown
1. Certificate Issuance
The CA issues a digital certificate with a unique serial number and an expiration date. The certificate also includes a CDP (CRL Distribution Point) extension that tells clients where to fetch the CRL later.
2. Revocation Event
Something happens that requires the certificate to be invalidated before expiration: private key compromise, employee termination, or change of affiliation. The CA administrator or an automated process revokes the certificate in the CA database.
3. CRL Generation
At the next scheduled interval, the CA generates a new CRL. It lists the serial numbers of all certificates revoked since the last CRL (full CRL) or the changes since the last full CRL (delta CRL). The CRL is digitally signed by the CA to ensure integrity.
4. CRL Publication
The signed CRL is published at the URL specified in the CDP extension of every certificate. It may be distributed via HTTP, LDAP, or other protocols. Clients must be able to reach this URL to download the CRL.
5. Client Validation
When a client (browser, email client, VPN) needs to verify a certificate, it reads the CDP extension, downloads the CRL from the URL, verifies the CA's signature, and checks the nextUpdate field for freshness. Then it searches for the certificate's serial number.
6. Decision
If the serial number is found on the CRL, the client treats the certificate as revoked and rejects the connection or displays a warning. If not found, and the CRL is fresh, the certificate is considered valid (subject to other checks like expiration and signature validation).
7. Staleness Handling
If the CRL cannot be downloaded or is stale (past nextUpdate), the client's security policy determines the outcome. Some clients fail the connection (hard fail), others proceed with a warning (soft fail). This is a key security decision for administrators.
Practical Mini-Lesson
In a real IT environment, managing CRLs involves several best practices. First, never rely solely on CRLs for critical systems. Use OCSP as the primary revocation check because it provides real-time status. However, you must still have CRLs as a fallback-some clients or scenarios may not support OCSP. Configure your CA to generate delta CRLs frequently (e.g., every hour) and full CRLs less often (e.g., every day). This reduces bandwidth for clients.
Second, ensure that the CDP extension in your certificates points to an internal, highly available server. If the CRL distribution point goes down, clients may fail to validate certificates. For internal CAs, use LDAP or a web server. For public CAs, CDP URLs are typically hosted on content distribution networks. You should test these URLs regularly.
Third, monitor CRL size. If your CRL grows very large (hundreds of megabytes), clients on slow network links will suffer. You can segment your CA hierarchy: issue certificates from subordinate CAs that have smaller revocation lists. Also, consider using CRL segmentation by reason (e.g., one CRL for key compromise, another for affiliation change). This way, clients only download the list relevant to their checks.
Fourth, be aware of the CRL caching behavior in clients. Browsers and operating systems cache CRLs for performance. If you revoke a certificate urgently, you may need to flush the cache on the client side-or accept that the revocation will take effect only when the client downloads a new CRL. This is especially important in incident response.
Finally, what can go wrong? A common issue is that the CRL URL in the certificate is a public URL (e.g., http://crl.example.com/crl.crl) but the client is behind a firewall that blocks that URL. This causes validation errors. Another issue is when the CA's private key that signs the CRL is itself compromised-then all CRLs are untrustworthy until the CA is re-established. In that rare scenario, the CA must be revoked and a new one created. Understanding these practical aspects helps you design resilient PKI systems and answer exam troubleshooting questions.
Memory Tip
CRL = 'Criminals on a Rollcall List', a list of bad certificates you can roll through.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
Frequently Asked Questions
Does a CRL contain every certificate issued by the CA?
No. The CRL only contains certificates that have been revoked before their expiration. Expired certificates are not listed.
How often is a CRL updated?
It depends on the CA's policy. CRLs can be updated every hour, daily, or weekly. The update interval is specified in the CRL's nextUpdate field.
Is CRL the only way to check revocation?
No. OCSP (Online Certificate Status Protocol) is a real-time alternative. Many systems use both, with OCSP as the primary and CRL as a fallback.
What happens if a client cannot download the CRL?
It depends on the client's security policy. Some will fail the connection (hard fail), while others will proceed with a warning (soft fail).
Why is there a delay between revocation and the certificate being untrusted?
Because CRLs are published on a schedule. The time between revocation and the next CRL publication is a window of vulnerability where the revoked certificate is still trusted.
Can a CRL be tampered with?
No, because the CRL is digitally signed by the CA. Any tampering would break the signature and the client would reject the CRL.
Summary
The Certificate Revocation List (CRL) is a cornerstone of Public Key Infrastructure (PKI) security. It is the mechanism by which a Certificate Authority communicates that a previously issued digital certificate has been revoked and should no longer be trusted. The CRL is a signed, time-stamped list of serial numbers of revoked certificates, distributed via URLs embedded in each certificate.
Understanding CRL is critical for IT professionals and certification candidates, especially for CompTIA Security+, Network+, and CISSP. The key points to remember are: CRL is a list-based, periodic, offline method that introduces latency; it is different from OCSP (real-time); it only contains revoked (not expired) certificates; and it must be signed and fresh to be trustworthy.
For the exam, you need to be able to compare CRL and OCSP, identify disadvantages of CRL (size, latency, window of vulnerability), and troubleshoot scenarios where CRL availability affects certificate validation. In practice, CRL is still widely used but is often supplemented with OCSP and other mechanisms for low-latency requirements. Always consider CRL as a vital but imperfect tool in a layered security approach.