Certificate Revocation

Certificate Revocation is a process in which a certificate is declared invalid if the relying parties are not using it. It differentiates between valid and invalid or untrusted certificates. Revoking a Certificate means invalidating it ahead of its expiration date.

Revocation is done when a device is compromised or an employee quits the company. Also, when a device re-enrolls for a certificate, the certificate is revoked.

Certificate Revocation List(CRL)

CRL is a list that stores information on the digital certificates revoked. It is an essential component of Public Key Infrastructure (PKI). The revoked certificates are stored in the certificate revocation list, but the expired certifications do not go to the CRL since the passed credentials get rejected. It got left at the first step of authentication, and the certificates stored in CRL when they get expired get automatically removed from the list.

CRL contains the Serial Number and Revocation Time of the certificates.

Difference between CRL and CTL

Certificate Transparent Logs (CTL) are usually misinterpreted as CRL, but the functionality of both are pretty different. CT logs and CRLs are distinct, they both deal with X.509 digital certificates, but they are two separate processes. CT Log is a method by which CA records every certificate that the organization for a domain is issuing. It is like a certificate inventory whereas, CRLs only store the record of certificates that are being revoked.

Online Certificate Status Protocol (OCSP)

There is the latest and advanced method of revoking certificates called OCSP. Certificate Authorities utilize the Online Certificate Status Protocol (OCSP) to check the revocation status of an X. 509 digital certificate.

OCSP is more reliable and widely used as in this method, the client can submit the certificate in question to the CA instead of downloading and interpreting the complete CRL. Then, the CA will respond with the certificate’s status.