{"id":12561,"date":"2020-07-22T10:59:57","date_gmt":"2020-07-22T14:59:57","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=12561"},"modified":"2023-05-25T12:22:45","modified_gmt":"2023-05-25T16:22:45","slug":"crl-explained-what-is-a-certificate-revocation-list","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/crl-explained-what-is-a-certificate-revocation-list\/","title":{"rendered":"CRL Explained: What Is a Certificate Revocation List?"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-need-to-revoke-a-certificate-there-s-a-list-for-that\">Need to revoke a certificate? There\u2019s a list for that\u2026<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">X.509 digital certificates are integral to public key infrastructure (PKI) and web security as a whole. But what happens when something goes wrong with one of those certificates or its keys? Any certificate can find its head on the chopping block, so to speak \u2014 or what\u2019s better known as being added to a certificate revocation list (CRL).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019ve seen mass certificate revocations happen before. For example, Apple, Google and GoDaddy (and a few other CAs) <a href=\"https:\/\/www.thesslstore.com\/blog\/mass-revocation-millions-of-certificates-revoked-by-apple-google-godaddy\/\">revoked millions of certificates<\/a> last year due to the certificates having 63-bit serial numbers instead of 64-bit ones. And just earlier this year, we saw <a href=\"https:\/\/www.thesslstore.com\/blog\/lets-encrypt-to-revoke-3-million-ssl-certificates-on-march-4\/\">Let\u2019s Encrypt facing a mass certificate revocation<\/a> due to a bug in their code.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But what exactly is a certificate revocation and how does it work? What is a certificate revocation list? And, moreover, what role does a CRL play in website security as a whole?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-defining-crls-what-is-a-certificate-revocation-list\">Defining CRLs: What Is a Certificate Revocation List?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The answer to your question about what a certificate revocation list (or CRL) is depends on whom you ask. For example, the <a href=\"https:\/\/csrc.nist.gov\/glossary\/term\/CRL\" target=\"_blank\" rel=\"noreferrer noopener\">National Institute of Standards and Technology (NIST)<\/a> defines a CRL as \u201cA list of revoked public key certificates created and digitally signed by a Certification Authority.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But it\u2019s more than that. The more technical answer from the <a href=\"https:\/\/tools.ietf.org\/html\/rfc5280\" target=\"_blank\" rel=\"noreferrer noopener\">Internet Engineering Task Force\u2019s (IETF) RFC 5280<\/a> describes a CRL as a time-stamped and signed data structure that a certificate authority (CA) or CRL issuer periodically issues to communicate the revocation status of affected digital certificates. Depending on the provider, certificate revocation lists are offered hourly, daily, or weekly.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But this description doesn\u2019t quite do it justice, either. <strong>Personally, I\u2019d prefer to define a certificate revocation list (CRL) as a <a href=\"https:\/\/searchsecurity.techtarget.com\/definition\/Certificate-Revocation-List\" target=\"_blank\" rel=\"noreferrer noopener\">blacklist of X.509 digital certificates<\/a> that a CA revokes prior to their assigned expiration dates.<\/strong> It\u2019s important to note, however, that this list doesn\u2019t include expired certificates. Furthermore, in some cases, third-party entities issue and maintain CRLs on behalf of CAs. This means that the CRL issuer isn\u2019t always the same as the CA who issued the revoked certificate.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But before we can get into the nitty-gritty details of what a certificate revocation list fully entails, we first need to address what certificate revocation is in general.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-purpose-of-certificate-revocation\">The Purpose of Certificate Revocation<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Much like the name implies, certificate revocation is a process that distinguishes invalid and untrusted certificates from valid trusted ones. Basically, <strong>it\u2019s a way for CAs (or CRL issuers) to make it known that one or more of their digital certificates is no longer trustworthy for one reason or another.<\/strong> When they revoke a certificate (a process that\u2019s sometimes known as PKI certificate revocation), they essentially invalidate the cert ahead of its expiration date.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, should a CA need revoke a certificate for your website, it makes Google Chrome display a lovely warning message like this to your site visitors:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"712\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/ssl-certificate-revocation-error-1024x712.png\" alt=\"Screenshot of the certificate revocation warning in Google Chrome.\" class=\"wp-image-12562 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/ssl-certificate-revocation-error-1024x712.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/ssl-certificate-revocation-error-300x209.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/ssl-certificate-revocation-error-768x534.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/ssl-certificate-revocation-error.png 1217w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>This is a screenshot of an SSL\/TLS certificate revocation warning message in Google Chrome.<\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Needless to say, it\u2019s definitely not a good look for your business\u2019s website. This message doesn\u2019t exactly foster warm and happy feelings of trust in your users\u2026 nor should it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-certificate-transparency-logs-vs-certificate-revocation-lists-aren-t-they-the-same\">Certificate Transparency Logs vs Certificate Revocation Lists: Aren\u2019t They the Same?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">There is sometimes <a href=\"https:\/\/security.stackexchange.com\/questions\/130271\/what-exactly-does-certificate-tranparency-do\" target=\"_blank\" rel=\"noreferrer noopener\">confusion about whether certificate transparency (CT) logs are the same as CRLs<\/a> or if they serve the same purposes. So, let me answer this question directly: <strong>No, CT logs and CRLs are <em>not<\/em> the same thing.<\/strong> While they both deal with X.509 digital certificates, they\u2019re two separate processes that serve two separate functions.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.thesslstore.com\/blog\/certificate-transparency-april-30-2018\/\">Certificate transparency logs<\/a> are a way for CAs to record every certificate that they issue for an individual domain. A CT log is, essentially, a certificate inventory for your domain. But this doesn\u2019t tell you whether a certificate is revoked. CRLs, on the other hand, are about informing clients whenever they revoke a certificate. But they don\u2019t include a list of every certificate that a CA issues for your domain.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-would-a-ca-add-certificates-to-a-crl\">Why Would a CA Add Certificates to a CRL?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">There isn\u2019t a one-size-fits-all answer for this question. A CA can revoke a certificate of your website for one of several reasons:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Someone compromises (or is suspected of compromising) your certificate\u2019s private key. (This is the most common reason.)<\/li>\n\n\n\n<li>The CA mis-issues a certificate and issues a new one to replace it.<\/li>\n\n\n\n<li>The CA itself is compromised.<\/li>\n\n\n\n<li>Your organizational details listed in the certificate (for example, your organization\u2019s name) change and the CA needs to reissue the cert to reflect that change.<\/li>\n\n\n\n<li>A certificate is illegitimate or was fraudulently signed with a stolen key. (You naughty boy\/girl, you.)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">But just how frequently are certificates revoked? We\u2019ll defer to the <a href=\"https:\/\/isc.sans.edu\/crls.html\" target=\"_blank\" rel=\"noreferrer noopener\">SANS Internet Storm Center (ICS)<\/a> to answer that question. Here are a the most recent certificate revocation statistics for the last month and last year:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"481\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/SANS-revoked-certificates-daily-stats-1024x481.png\" alt=\"Screenshot from SANS ICS of the certificate revocations between June 20, 2020 and July 20, 2020.\" class=\"wp-image-12563 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/SANS-revoked-certificates-daily-stats-1024x481.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/SANS-revoked-certificates-daily-stats-300x141.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/SANS-revoked-certificates-daily-stats-768x361.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/SANS-revoked-certificates-daily-stats.png 1184w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Image source: <a href=\"https:\/\/isc.sans.edu\/crls.html\">SANS ICS<\/a>. This data shows the daily certificate revocation rate over the past month (June 20, 2020-July 20, 2020). Note: This data was captured on July 20, 2020 and may not reflect the accurate number of certificates revoked that day.<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"475\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/SANS-revoked-certificates-daily-annual-stats-1024x475.png\" alt=\"Screenshot of certificate revocation data from SANS ICS between July 20, 2019 and July 20, 2020.\" class=\"wp-image-12564 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/SANS-revoked-certificates-daily-annual-stats-1024x475.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/SANS-revoked-certificates-daily-annual-stats-300x139.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/SANS-revoked-certificates-daily-annual-stats-768x356.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/SANS-revoked-certificates-daily-annual-stats.png 1196w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Image source: <a href=\"https:\/\/isc.sans.edu\/crls.html\">SANS ICS<\/a>. This data shows the daily certificate revocation rate over the past year (July 20, 2019-July 20, 2020). Note: This data was captured on July 20, 2020 and may not reflect the accurate number of certificates revoked on the last day. You will, however, notice that the largest spike in revocations \u2014 11,322 \u2014 occurred recently on July 12, 2020.<\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-a-certificate-revocation-list-is-necessary\">Why a Certificate Revocation List Is Necessary<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When a CA issues a digital certificate, they\u2019re expecting the certificate to be in use for its entire lifespan. (Certificates are currently valid for two years, but <a href=\"https:\/\/www.thesslstore.com\/blog\/google-chrome-to-join-apple-safari-in-one-year-certificate-validity\/\">certificate validity will be reduced to one year<\/a> \u2014 or, more specifically, 398 days \u2014 for certificates issued on or after Sept. 1, 2020.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But not all certificates survive that full time. They sometimes get revoked early, and that\u2019s when they join CRLs. This is different from the process for expired certificates, which CAs invalidate and browsers and operating systems reject automatically. (Hence why they aren\u2019t added to certificate revocation lists.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As you can imagine, a certificate revocation causes a lot of problems if clients don\u2019t know that a particular cert is revoked. (The \u201cyour connection is not private\u201d warning message you saw earlier is the perfect example of one of those issues.) So, to make certificate revocations easier to track, CAs (and CRL issuers) add them to their CRLs.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Revocation of digital certificates: CRL, OCSP, OCSP stapling\" width=\"960\" height=\"540\" src=\"https:\/\/www.youtube.com\/embed\/WXNKQ_otO_g?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-what-s-included-in-a-certificate-revocation-list\">What\u2019s Included in a Certificate Revocation List<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A certificate revocation list is a list of untrustworthy <a rel=\"noreferrer noopener\" href=\"https:\/\/docs.oracle.com\/javase\/8\/docs\/technotes\/guides\/security\/cert3.html\" target=\"_blank\">X.509 digital certificates<\/a>. While SSL\/TLS certificates, or what are known as <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-website-security-certificate-and-what-does-it-do-for-your-business\/\">website security certificates<\/a>, are the most common, CRLs can also include code signing certificates and, I believe, email signing certificates (or what are known as S\/MIME certificates).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Basically, these are certificates that trusted CAs revoke before their official expiry dates.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But what kind of information can a certificate revocation list include? A CRL entry may include any of the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The certificate\u2019s serial number.<\/li>\n\n\n\n<li>The certificate\u2019s signature algorithm.<\/li>\n\n\n\n<li>The common name (CN).<\/li>\n\n\n\n<li>The certificate\u2019s extension(s).<\/li>\n\n\n\n<li>The revocation date and time.<\/li>\n\n\n\n<li>The name of the CRL issuer.<\/li>\n\n\n\n<li>The date by which the next CRL will generate.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Here\u2019s an example of a Sectigo (formerly Comodo CA) CRL:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"703\" height=\"528\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/certificate-revocation-list-example-CRL.png\" alt=\"Screenshot of a certificate revocation list (CRL) from Sectigo (formerly Comodo CA).\" class=\"wp-image-12565 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/certificate-revocation-list-example-CRL.png 703w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/certificate-revocation-list-example-CRL-300x225.png 300w\" sizes=\"auto, (max-width: 703px) 100vw, 703px\" \/><figcaption>This is a screenshot of a certificate revocation list from Sectigo (formerly Comodo CA).<\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s important to note that once a certificate is added to the list, it\u2019s basically a permanent fixture, according to the IETF RFC 5280:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">&#8220;An entry is added to the CRL as part of the next update following notification of revocation. An entry MUST NOT be removed from the CRL until it appears on one regularly scheduled CRL issued beyond the revoked certificate&#8217;s validity period.&#8221;<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-a-certificate-revocation-status-check-works\">How a Certificate Revocation Status Check Works<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">There are plenty of free online tools you can use to check your certificate\u2019s revocation status. For example, there\u2019s <a href=\"https:\/\/certificate.revocationcheck.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">certificate.revocationcheck.com<\/a>. When I type in the URL of The SSL Store, this is what it shows:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"591\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/crl-certificate-revocation-check-1024x591.png\" alt=\"A screenshot of a certificate revocation status check\" class=\"wp-image-12566 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/crl-certificate-revocation-check-1024x591.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/crl-certificate-revocation-check-300x173.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/crl-certificate-revocation-check-768x444.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/crl-certificate-revocation-check-1536x887.png 1536w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/crl-certificate-revocation-check.png 1572w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Image source: <a href=\"https:\/\/certificate.revocationcheck.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">certificate.revocationcheck.com<\/a><\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">But how does the certificate revocation check process work for clients and web servers? Let\u2019s use the SSL\/TLS certificate on this website as an example.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Before your web browser (client) establishes a secure, encrypted connection to TheSSLStore.com, your client first needs to know whether the server it\u2019s connecting to is legitimate. The way it does this is by checking our SSL\/TLS certificate.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But how does your client know whether the certificate our server provides is valid? After all, for all your client knows, we\u2019re a fraudulent website that\u2019s pretending to be The SSL Store and this is an imposter site. (Of course, to do this, it means that a cybercriminal compromises a website or web service\u2019s certificate or private key, or if a certificate is improperly issued for one reason or another [which is far less likely], then the CA must revoke it.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, how does the client know whether a certificate is valid or has been revoked? There are two ways the client can do this:<\/p>\n\n\n\n<ol class=\"wp-block-list\" type=\"1\">\n<li>It manually checks the certificate revocation list for the certificate in question.<\/li>\n\n\n\n<li>It sends an OCSP request to an OCSP responder to check the revocation status for the specific certificate via the CA\u2019s revocation server.<\/li>\n<\/ol>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n\n\n<h3 class=\"wp-block-heading\" id=\"h-how-the-client-checks-the-crl-and-ocsp\">How the Client Checks the CRL and OCSP<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In these two methods, the onus for checking the certificate revocation status falls on the client. Basically, the client is responsible for checking whether a certificate is revoked before connecting to it.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-certificate-revocation-list-based-certificate-revocation-status-check\">Certificate Revocation List-Based Certificate Revocation Status Check<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">To check the status of a certificate using a CRL, the client reaches out to the CA (or CRL issuer) and downloads its certificate revocation list. After doing this, it then must search through the entire list for that individual certificate. This is not only cumbersome but it\u2019s also slow. To speed up performance, the client may only download updated CRLs every 24 hours or so.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"894\" height=\"588\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-to-check-certificate-revocation-status-crl.png\" alt=\"Illustration of a certificate revocation list-based cert revocation check\" class=\"wp-image-12567 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-to-check-certificate-revocation-status-crl.png 894w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-to-check-certificate-revocation-status-crl-300x197.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-to-check-certificate-revocation-status-crl-768x505.png 768w\" sizes=\"auto, (max-width: 894px) 100vw, 894px\" \/><figcaption>This is an illustration of how the certificate revocation check process goes when using a certificate revocation list.<\/figcaption><\/figure><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-ocsp-based-certificate-revocation-status-check\">OCSP-Based Certificate Revocation Status Check<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">In the second status check method, the client sends an OCSP request to the OCSP responder to check the real-time status of a certificate. The OCSP responder then sends back one of three certificate status responses \u2014 good, revoked, or unknown \u2014 and the client can then react accordingly.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"852\" height=\"569\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/certificate-revocation-ocsp.png\" alt=\"An illustration of how an OCSP-based certificate revocation check goes\" class=\"wp-image-12568 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/certificate-revocation-ocsp.png 852w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/certificate-revocation-ocsp-300x200.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/certificate-revocation-ocsp-768x513.png 768w\" sizes=\"auto, (max-width: 852px) 100vw, 852px\" \/><figcaption>This is an illustration of how the certificate revocation check process goes when using the online certificate status protocol (OCSP).<\/figcaption><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-advantages-and-drawbacks-of-client-based-certificate-revocation-status-checks\">Advantages and Drawbacks of Client-Based Certificate Revocation Status Checks<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The advantage of OCSP is that it\u2019s faster than the traditional CRL-checking process and also provides more up-to-date information about a certificate\u2019s revocation status. But there are cases in which a CRL might be more beneficial (mainly when an OCSP server goes down \u2014 even just temporarily.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, there are drawbacks to both:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CRL lists grow and CAs release new lists.<\/strong> Since CRL-based verification methods require certificate revocation status checks for every connection, there\u2019s a chance that the CRL issuer or CA may release a new list and you\u2019ll miss out on newly revoked certificates. This isn\u2019t good for scalability.<\/li>\n\n\n\n<li><strong>These two methods are resource-intensive for the client.<\/strong> They suck up a lot of resources and increase latency as well. This leads to a crappier user experience. After all, there are a lot of certificates the client must slog through on that list every time.<\/li>\n\n\n\n<li><strong>Your privacy protection funnel has a few leaks.<\/strong> Your secure website usage isn\u2019t as secure as you may think when you use OCSP. Why? Because the browser tells the CA servers who is accessing which websites. So, if you don\u2019t want anyone (including the CA) to know about your secret penchant for collectable figurines or love of cat videos, then user beware.<\/li>\n\n\n\n<li><strong>CRLs and OCSPs are dependent on a CA\u2019s infrastructure.<\/strong> If you\u2019re using an unreliable CA that has a lot of server downtime or availability issues, this can make relying on both of these practices a lot more troublesome.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">A major red flag, though, comes in the form of browsers\u2019 CRL check soft fail policies. What I mean by this is that when a client checks the CRL list, or they send a message to the OCSP responder and get an \u201cunknown\u201d response, some browsers may assume that the certificate is valid and allow the connection regardless of the potential danger.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-enter-ocsp-stapling\">Enter OCSP Stapling<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">There is a third option, though, which is a web server-based certificate revocation status check that\u2019s known as <a href=\"https:\/\/www.thesslstore.com\/blog\/ocsp-stapling-best-method-checking-certificate-validity\/\">OCSP stapling<\/a>. <strong>OCSP stapling puts the responsibility of performing OCSP requests on the web server instead of the end user\u2019s client. <\/strong>This is a less resource-intensive process and unburdens the client, which provides a more seamless experience for the end user. It also avoids the data leakage concerns that the client-based OCSP status check method experiences.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Essentially, it\u2019s the new-and-improved implementation of traditional OCSP.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Basically, with OCSP stapling, the web server is in constant communication with the CA\u2019s revocation server. It timestamps and caches the most recent OCSP responses so that it can \u201cstaple\u201d (attach) it to clients\u2019 <a href=\"https:\/\/www.thesslstore.com\/blog\/explaining-ssl-handshake\/\">SSL\/TLS handshake<\/a> request responses. This helps to ensure coverage during short CA server outages.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, there\u2019s a lot more to know about OCSP stapling. So, I\u2019ll discuss OCSP stapling \u2014 and the <a href=\"https:\/\/www.thesslstore.com\/blog\/ocsp-ocsp-stapling-ocsp-must-staple\/\">online certificate status protocol<\/a> in general \u2014 more later this week in another article next week, so stay tuned for that. (Insert a shameless \u201csubscribe now to our blog\u201d message.)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-wrapping-up-the-topic-of-certificate-revocation-lists\">Wrapping Up the Topic of Certificate Revocation Lists<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As you can see, there\u2019s a lot to know about certificate revocation lists. They\u2019re like the cybersecurity equivalent of Santa\u2019s \u201cNaughty and Nice\u201d list \u2014 you know who is being good (because they use valid X.509 certificates) and who deserves coal in their stocking (because they aren\u2019t).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">CRLs are useful for helping your client determine whether or not it\u2019s safe to connect to a web server. However, they\u2019re not perfect:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Certificate revocation lists are clunky, slow, and burdensome for clients to continually download and sort through.<\/li>\n\n\n\n<li>Whether your client downloads a CRL list to check each individual certificate or it relies on an OCSP responder to provide a real time certificate status check of the revocation server, there\u2019s still a chance that something can go wrong and you wind up relying on old data.<\/li>\n\n\n\n<li>OCSP stapling is a better option that reduces latency and puts the responsibility of CRL revocation checks on web servers (instead of clients).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">I hope this article provides clarity about certificate revocation lists and illuminates the certificate revocation status checking process for you.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As always, feel free to drop a comment to share your thoughts and insights.<\/p>\n\n\n<span style=\"--tl-form-height-m:801.312px;--tl-form-height-t:638.344px;--tl-form-height-d:638.344px;\" class=\"tl-placeholder-f-type-shortcode_12763 tl-preload-form\"><span><\/span><\/span>","protected":false},"excerpt":{"rendered":"<p>Need to revoke a certificate? There\u2019s a list for that\u2026 X.509 digital certificates are integral to public key infrastructure (PKI) and web security as a whole. But what happens when&#8230;<\/p>\n","protected":false},"author":17,"featured_media":12569,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[194,12506],"class_list":["post-12561","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-certificate-revocation","tag-crls","post-with-tags"],"views":98236,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/certificate-revocation-feature2.png","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12561","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=12561"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12561\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/12569"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=12561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=12561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=12561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}