Schedule a DemoCertificate Revocation Explained: CRL vs OCSP
Posts in this series:
- Part 1 — What Is PKI?
- Part 2 — What Is a Certificate Authority?
- Part 3 — Why PKI Fails
- Part 4 — (this post) Certificate Revocation Explained
Certificate Revocation Defined
Certificate revocation is the process of invalidating a digital certificate before its expiration date. This ensures that compromised or untrusted certificates can no longer be used.
Introduction
Certificates are issued with a defined lifetime, but that does not mean they remain valid for that entire period.
There are many situations where a certificate must be revoked early. A private key may be compromised. A device may be decommissioned. An identity may no longer be trusted.
PKI must be able to communicate this change in status reliably.
In practice, this is one of the most critical and most fragile parts of PKI.
Related: What is PKI?
What Is Certificate Revocation?
Revocation is the mechanism that allows PKI to say:
This certificate was valid, but it should no longer be trusted.
When a certificate is revoked, that information must be made available to any system that relies on it. Otherwise, the certificate may continue to be accepted as valid.
What Is a CRL?
A Certificate Revocation List (CRL) is a published list of revoked certificates.
It is generated by a Certificate Authority (CA) and distributed to specific locations where clients can retrieve it.
CRLs are simple and widely supported, but they are static. They are only as current as the last time they were published.
What Is OCSP?
The Online Certificate Status Protocol (OCSP) provides a more dynamic way to check revocation status.
Instead of downloading a full list, a client can query an OCSP responder to determine whether a specific certificate is valid.
This allows for more real-time validation, but it introduces additional infrastructure and dependencies.
CRL vs OCSP
Both CRLs and OCSP serve the same purpose, but they operate differently.
CRLs are simpler and more predictable, but they can become large and may not reflect real-time status.
OCSP provides more immediate responses, but it depends on responder availability and proper configuration.
In many environments, both mechanisms are used together.
Why Revocation Failures Cause Outages
Revocation is not just a security feature. It is part of the validation process.
If a system cannot determine the revocation status of a certificate, it may reject it entirely.
This means that failures in CRL publishing or OCSP availability can result in authentication failures and service outages.
These issues are often difficult to diagnose because they do not always present clear error messages.
Best Practices for Revocation
Effective revocation management requires:
- Reliable publishing of CRLs
- Proper configuration of distribution points
- Monitoring of revocation endpoints
- Regular validation of revocation behavior
Related: PKI Monitoring and Visibility
Final Thoughts
Revocation is one of the most important aspects of PKI, but it is also one of the most overlooked. When it works, it is invisible. When it fails, the impact can be immediate and widespread. Understanding and monitoring revocation is essential to maintaining a healthy PKI environment.