Certificate revocation list

In <a href="/facts/Cryptography/e94PEVau">cryptography</a>, a certificate revocation list (CRL) is "a list of <a href="/facts/Digital_certificates/J7aYI4Bx">digital certificates</a> that have been revoked by the issuing <a href="/facts/Certificate_authority/WAo8vMTN">certificate authority</a> (CA) before their scheduled expiration date and should no longer be trusted".
Publicly trusted CAs in the Web PKI are required (including by the <a href="/facts/CA/Browser_forum/JC00DSD0">CA/Browser forum</a>) to issue CRLs for their certificates, and they widely do.
Browsers and other relying parties might use CRLs, or might use alternate <a href="/facts/Certificate_revocation/JSP12aR0">certificate revocation</a> technologies (such as <a href="/facts/Online_Certificate_Status_Protocol/0SuMER8c">OCSP</a>) or CRLSets (a dataset derived from CRLs) to check certificate revocation status. Note that OCSP is falling out of favor due to privacy and performance concerns.
Subscribers and other parties can also use ARI.

Certificate revocation list open-in-new

Certificate revocation list