Certificate Revocation List (CRL)

Security+ 🏆 • Cryptography 🔒 • Web Security 🕸️ • Difficulty: premium

Definition

A Certificate Revocation List is a signed list published by a Certificate Authority that identifies certificates that should no longer be trusted before they expire (for example, keys were stolen or a user left the company). Clients consult the CRL to reject revoked certificates.

Examples

A VPN gateway performs mutual TLS. When an employee leaves, the internal CA revokes their user certificate; the gateway checks the CRL and blocks future logins.
A web server’s private key is exposed. The CA revokes the certificate and publishes an updated CRL. Compliant clients that fetch the new CRL refuse the connection.

Discover 🔎

Certificates can look valid (not expired, correct hostname) even when they should no longer be trusted—like after key compromise or when access is withdrawn. A CRL fixes this by listing revoked certificate serial numbers, signed by the issuing CA. Clients download the CRL periodically and deny any certificate on the list.

Remember: Revocation is about ending trust early. Expiry happens on a schedule; revocation happens when risk demands it.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.