Compare Items
Please, add items to this compare group or choose not empty group
What is the Certificate Revocation List?
By Crumb Peter
September 17, 2019
SSL Certificate

What is the Certificate Revocation List?

A Certificate Revocation List is a list of the certificates which were revoked by the Certificate Authority before their expiration date. A CRL is generated and published periodically often at defined intervals. Publishing of a CRL can be done immediately after the revocation of the certificate. Revocation here means that the certificate has not expired but was an active certificate and is now no more as valuable as it was.

 

According to the security experts, a certificate loses its credibility if it is revoked, the reason being that it does not provide the same level of protection against malicious parties and hackers. CRLs provide an idea to the web browsers and the users regarding whether the website is trustworthy or not.

 

Hence revocation of an SSL or TLS certificate is equivalent to not having one. CRLs provide an SSL endpoint to verify whether the certificate received is signed and authorized by a trusted Certificate Authority. 

 

Why are Certificates Revoked? 

There can be many reasons for the revocation of a certificate and the most common ones are as follows – 

  • The private key has been lost or compromised, hence no longer trustworthy. 
  • The previous owner of the domain no longer owns that domain or has ceased its operation. 
  • The certificate was forged. 

 

By the use of the Certificate Revocation List the Certificate Authority not only provides information about the validity of the certificates they also provide the previously issued date, the publishing date and the and the current status.

 

  1. According to RFC (Request for Comments which represents a document series containing technical and organizational notes about the Internet), 5280 p69 the reasons for revocation are – 
  1.  unspecified (0) 
  2. keyCompromise (1) 
  3. cACompromise (2) 
  4. affiliationChanged (3) 
  5. superseded (4) 
  6. cessationOfOperation (5) 
  7. certificateHold (6) 
  8. removeFromCRL (8) 
  9. privilegeWithdrawn (9) aACompromise (10) 

 

The value 7 is not used.  

 

Types of Certificate Revocation Lists – 

 

  • Base CRL – A base CRL is the one which contains all non-expired revoked certificates. 
  • Delta CRL – A Delta CRL is a CRL that contains all non-expired certificates that have been revoked since the last base CRL was published. 

 

If alone Base CRL is used the user checking for revocation only needs to check/download the Base CRL for verification of the certificate revocation. 

 

If a combination of Base and Delta CRL is used then, users checking for revocation have to download both Base and Delta CRLs for the verification of the certificate revocation. 

Working of Certificate Revocation List – 

When a browser is directed to a webpage that has an SSL certificate a request is generated from the browser to get access and the following steps take place for the information access –

 

  • To the HTTPS (HyperText Transfer Protocol) enabled page a request is made. 
  • The certificate authority then receives the request and sends a list of all the revoked certificates to the browser. 
  • Then the browser runs a test for the webpage to which it is directed and ensures that the name of the website is not included in the revoked list provided by the CA (Certificate Authority). 

 

But the CRLs should be updated regularly because if it not done then a webpage or website not listed in the CRL, the browser can get access to the webpage/website which is risky as they become vulnerable to be hacked and information loss.  

 

Revocation Process for Certificate Revocation List – 

 

Following steps are followed for the revocation process – 

  • Discovery of a compromised or invalid certificate. 
  • Revoking the compromised certificate. 
  • Proclaiming of the revoked certificate. 

 

The Certificate Authority is immediately contacted for the invalidation of the provided digital certificate to prevent any loss of the valuable information of the user. The CA needs to verify whether the revocation request is coming from the website owner and then after the verification process the certificate is revoked. 

 

Sometimes there is a delay in the revocation of the digital certificate and this can lead to serious losses for example – a customer can get his/her bank account drained due to the vulnerability of the website due to this delay in revocation of the digital certificate. 

 

The mismanagement of CAs is not new since according to a research paper “The Broken Shield: Measuring Revocation Effectiveness in the Windows Code-Signing PK” CA’s take an average about 5.6 months to revoke the compromised certificate making the user information an easy and vulnerable target for malicious hackers.  

 

Problems in Revocation – 

 

The certificate revocation is often inaccessible to the user, the reasons being – 

  • No or late updating of CRLs. 
  • CRL points being unreachable. 
  • Delayed responses from the CRL. 
  • Removal of revoked certificate from the database by mistake. 

There can be a series of problems if a certificate is revoked mistakenly. So one must be careful with this. 

 

Share:
Crumb Peter
administrator
    Crumb Peter is a passionate cyber security enthusiast, driven by a constant desire to stay ahead of the curve in this ever-evolving landscape. With an insatiable thirst for knowledge, Crumb actively seeks out and absorbs new advancements in the web and cyber security niche.