Certificate Revocation List (CRL)
A CRL is a Certificate Revocation List. When any certificate is issued, it has a validity period which is defined by the Certification Authority. Usually this is one or two years.Any time a certificate is presented as part of an authentication dialog, the current time should be checked against the validity period. If the certificate is past that period, or expired, then the authentication should fail.However, sometimes certificates should not be honored even during their validity period.
For example, if the private key associated with a certificate is lost or exposed,then any authentication using that certificate should be denied. Similarly, people will change jobs, names, and companies. When their certificates are replaced, the old certificates have to be marked somehow as “no longer accepted.” The purpose of the CRL is to list certificates which are valid, but are revoked.
- Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile - RFC 3280