(2 votes, average: 5.00 out of 5)
The foundation of Public Key Infrastructure (PKI), which secures billions of online transactions, is the X.509 digital certificate standard.
But what will happen if these certificates or the keys that go with them have an issue? They need to be revoked since it is clear that they can no longer be trusted. A certificate must be added to a certificate revocation list (CRL) so as for users to be informed that it has been revoked.
We have already seen massive certificate revocations take place in PKI history. For instance, in 2019 Apple, Google, and GoDaddy canceled millions of certificates because their serial numbers were 63 bits rather than 64 bits.
Due to an issue in their code, Let’s Encrypt also carried out a significant amount of certificate revocations in March 2020.
A Certificate Revocation List, or CRL, is a list of digital certificates that have been revoked or considered invalid before their expiration date.
A digital certificate—a digital identifying document that protects internet communication—is issued by a trustworthy third-party certificate authority (CA). Applications verify the validity of an SSL/TLS certificate using a CRL, an essential component of public key infrastructure (PKI).
In other words, CRL is a technique for preventing the validation of unwanted certificates. The identities of certificates that are considered untrustworthy have been included in the CRL.
When a CA provides a digital certificate, they expect that the certificate will be used over its complete lifecycle. (Certificates now have a two-year validity; however, for certificates issued on or after 1st September 2020, the duration will be decreased to one year)
But not all certifications remain valid for that long. They occasionally get their licenses canceled too soon; at that point, they join CRLs. This is different from the processes for expired certificates, which CAs revoke, and browsers and operating systems immediately refuse. (Therefore, they aren’t included in the listings of certificates that have been revoked.)
As you can imagine, if customers are unaware that a certain certificate has been revoked, it can cause a lot of issues. A good illustration of one of those issues is The alert notification you saw before that read “Your connection is not private”. Therefore, CAs and CRL providers encompass certificate revocations to their CRLs to make them easier to observe and track.
There isn’t a universal response to this query. Your website’s certificate may be revoked by a CA for several reasons, including:
Although CRLs could vary, the following are a few elements that are frequently included:
The certificate revocation list is simply a broad compilation of certificates that have been blocked and maintained up to date by a certain certificate authority.
Following the steps listed below, a browser sends a request to a page that has an SSL/TLS certificate.
It might be challenging to maintain a certificate revocation list. It needs frequent updates and modifications and is consequently prone to mistakes.
Furthermore, depending on when the CRL was recently updated, it’s conceivable that a browser request to a site that ought to have a revoked certificate receives a green light since the list wasn’t updated in time.
Browsers verify the legitimacy of the server they are connecting to before establishing a safe, encrypted connection. They verify the SSL/TLS certificate to achieve that.
A browser can accomplish this in one of two ways:
A brief note on OCSP: OCSP refers to Online Certificate Standard Protocol. To obtain information about the status of a digital certificate’s revocation, one can utilize OCSP which is specified in RFC 6960.
Recommended: Differences between CRL vs OCSP
OCSP is easier and quicker than CRLs because, the certificate verification is handled by the CA rather than your PKI, transferring the duty to them. It is also considerably carrying lesser data and simpler for the CA to comprehend.
The client (browser) is responsible for the two techniques previously discussed for determining the status of the certificate revocation. To connect to a certificate, the browser must first determine if it has been revoked.
There are additional challenges besides making browsers check the validity of the certificates, including:
Due to the drawbacks, the market has created an additional option called OCSP stapling, a web server-based certificate revocation status check. OCSP stapling shifts the burden of processing OCSP requests from the user’s client to the web server.
This method uses fewer resources and gives the end user a more effortless experience. Additionally, it’s able to deal with the data leaking challenges that the client-based OCSP status check approach has.
The main advantages of OCSP stapling over CRLs are that it uses less bandwidth and enables real-time status checks.
Finally, Certificate Revocation Lists are essential for establishing trust in Internet interactions and transactions. However, they do come with several challenges, some of which were covered in this article. The best method to address these issues is to maintain an effective certificate management program.
The term “certificate revocation list” (CRL) refers to a list of digital certificates that have had their issuing certificate authority (CA) revoke them before the actual or designated expiration date of the certificates.
The act of invalidating a TLS/SSL certificate before its specified expiration date is known as certificate revocation. When a certificate’s private key appears to have been compromised, it should be immediately revoked. When the domain for which it was given is no longer active, it should also be revoked.
A few global information elements, including the version, signature algorithm, issuer name, CRL issue date, and next update date, are also included in the CRL. X. 509 v2 Certificate Revocation Lists are the most prevalent type and are often encoded in DER (binary) or PEM (text) formats.
When you revoke an SSL certificate, HTTPS is instantly removed from the website. Your website could display errors or temporarily go offline depending on your Web host.