Certificate Revocation

Use

Certificate authorities (CA) provide certificate revocation lists (CRL). CAs use these lists to alert the operators of public-key infrastructures of certificates which the CA has declared invalid before their scheduled expiration. CAs can revoke certificates for a number of reasons, including the following:

• The certificate is due to expire soon and has been replaced with another certificate.

• The subject of the certificate no longer exists; the user has died or the company has gone out of business.

• The security of the certificate has been compromised in some way. The user has lost his or her private key, for example.

When an application verifies a digital signature or encrypts a digital envelope, CRLs enable the application to check if the certificate has been revoked. CAs make CRLs available to operators at distribution points. Operators then download the CRLs or access the distribution on a regular basis. Sometimes CAs write the distribution point for the CRL directly in the certificate. If the certificate in question appears in the CRL, the application should halt the operation and return an error.