Share via


1.1.4 Certificate Revocation Lists

End entities normally evaluate certificates for validity when they make trust decisions and no longer trust the certificate if it is presented after the expiration date. To invalidate a previously issued certificate, before its expiration, an administrator can revoke it. This might be required, for example, when an employee leaves the organization or when the private key has been compromised. The CA maintains a list of revoked certificates that it makes available publicly at a location that is specified in all of the certificates it issues. This list is known as the certificate revocation list (CRL). Entities that are required to verify the validity of a certificate can download the CRL and determine if the certificate is in it.