ITU-T-X-509-CRL
Pre-expiration revoked X.509 certificates list.
Definition
X.509 CRL structure: Version, Signature Algorithm, Issuer Name, ThisUpdate, NextUpdate, Revoked Certificates (List: Serial Number, Revocation Date, Reason Code), CRL Extensions, CRL Signature. Distribution Points: HTTP or LDAP URL. Reason codes: unspecified (0), keyCompromise (1), CACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), removeFromCRL (8), privilegeWithdrawn (9), AACompromise (10). Decreasing adoption in favour of OCSP + OCSP stapling for real-time, but still required by regulators (eIDAS QTSP).
Origin
X.509 v1 published 1988 included initial CRL ; X.509 v2 1993 added CRL extensions ; X.509 v3 1997 (current major version) ; 9th edition published October 2019.
Example in context
DigiCert (major CA) publishes CRL distribution point http://crl3.digicert.com/sha2-ev-server-g2.crl reachable by all browsers ; signed CRL typically updated every 7 days.
Related terms
- ITU-T X-series — standards family.