![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 33%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
20,219 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 32%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFR%3C/text%3E%3C/svg%3E)
Hi Manuel,
I know this is old, but it still comes up as one top results on some searches about PKI, so I just wanted to leave a short answer.
Best practice is http and not https. When checking documentation like the one Fan Fan linked above, you will also always find only http in the CDP links.
I don't have a source in writing for as to why this is, but it's kind of a logical issue about how CRLs work. (and the same why OCSP also only uses http and the special OCSP signing certs have an extension that says "do not check revocation for this cert)
A client wants to access a webserver that uses one of your CAs' certs for https. It then has to check the revocation. For that, it accesses the CRL - also a WebServer. Now, if it would use https for the CRL, it would get shown a TLS cert from the WebServer that hosts the CDP. Then, it would need to check the revocation of THIS cert. For that, it looks into the cert, gets the CDP URL, connects to check the CRL - and is again on https, sees a Webserver cert, has to check its CRL, and so on and so on ... So, unless you use a cert from a different CA (with a differen CDP) or a public cert for your CRP, you potentiall shoot your clients into a vicious circle of revocation checkings they can't escape from ...