Certificate Revocation Lists (CRL)

A Certificate Revocation List (CRL) is a list of certificates that have been revoked. This list contains, more exactly, the serial numbers of the certificates which have been revoked together with other information such as revocation date and additional extensions which contain more details about the revoked certificates and the revocation reasons. The CRL also contains some global information attributes such as the version, signature algorithm, issuer name, issue date of the CRL and next update date.

The most common type of Certificate Revocation Lists is X.509 v2 and are usually encoded in DER (binary) or PEM (text) formats.

An example of a PEM encoded CRL can be seen below:

-----BEGIN X509 CRL-----
-----END X509 CRL-----

Open a Certificate Revocation List

CERTivity allows opening Certificate Revocation Lists which are stored in local files, or from a remote location, using a given URL address which identifies the location of a CRL. To open a CRL the following actions have to be performed:

  • For a CRL stored in a local file: Click on Menu File > Open > Open CRL > From File. A file chooser will appear allowing to select one or more CRL files (having either .crl or .pem extension). If a CRL that has to be opened has a different extension, an "All files" filter is available in the file chooser which allows selecting any file. After selecting one or more files, press Open, and each selected CRL will be opened in a different tab which will display the content details of the CRL. There is also drag and drop support for CRL files on Microsoft Windows and Linux platforms.

  • For a CRL from a remote location: Click on Menu File > Open > Open CRL > From URL. A dialog will appear requesting to enter the URL of the CRL. The CRL found at the location denoted by the given URL will be opened into a new tab. If the CRL is large, a progress bar will be displayed on the status bar until the CRL content is retrieved from the remote location. If the URL is invalid, an error message will be displayed informing that, and the user can enter another URL.

    The dialog for entering the URL can be seen below:

After opening and closing more Certificate Revocation Lists, the most recently used CRLs can be found using Menu File > Open Recent File. For the CRLs which were opened from local files the entire file path will be displayed in the menu that appears, while for the the ones opened from URLs, the URL will be displayed. A simple click on the desired CRL in the menu, will open it in a new tab. If the CRL has been already opened, the CRL's tab will be activated.

CRL Details

CERTivity displays the content of the CRL using a tree like structure for each field or group of fields of the CRL as it can be seen in the screenshot below:

Each node of the CRL tree contains the name of the field and its value in brackets, if the value is short enough to be displayed, like for Type, Version, This Update, Next Update.

For each selected node in the CRL tree, the content of the selected node will be displayed in the right panel. When the root of the tree is selected (selected by default when opening the CRL), the right panel will display the entire content of the CRL (as it can be seen in the example screenshot from above).

In this full display mode (selecting the root node of the tree), the ASN.1 representation and the CRL extensions are not displayed by default but the user can make them visible by clicking on the ASN.1 and Extensions buttons, which will expand the panel with the corresponding additional content.

Also, when the root node of the CRL tree is selected, the revoked certificates are displayed at the bottom of the right panel as a list containing for each revoked certificate the Serial Number, Revocation Date, and Extensions. The Extensions column displays informations only about the number of extensions if the revoked certificate has extensions. To view the extensions of a certain revoked certificate, select the corresponding row of the table, and an additional panel will appear at the bottom of the table containing details about the extensions of the selected revoked certificate. The names of the available extensions of a revoked certificate can be viewed faster in the tooltip which appears when positioning the cursor over the revoked certificate row.


The same view of the revoked certificates and their extensions can be obtained by selecting the Revoked Certificates List node from the tree, as it can be seen in the screenshot below:

If the revoked Certificates List node is expanded, each revoked certificate can be visible as a child node, which can also be expanded further to see the fields of the Revoked Certificate (Serial Number, Revocation Date or Extensions). If the Revoked Certificate node is selected, the right panel will display the fields contained by the selected revoked certificate, as it can be seen below:


The extensions of the revoked certificate can also be seen by clicking the Extensions button, which will trigger the displaying of the revoked certificate's extensions. Also, each field of the revoked certificate including the extensions, can be seen individually by selecting the corresponding field in the child nodes of the revoked certificate in the CRL tree.

CRL Fields

The CRL Viewer from CERTivity allows viewing the content of the following CRL fields:

  • Type

    The type of the CRL. In most cases, this is X.509;

  • Version

    The version of the CRL. In most cases, the version is 2;

  • This Update

    This field indicates the issue date of the current CRL;

  • Next Update

    This field indicates the date by which the next CRL will be issued. As mentioned in RFC 5280, the next CRL could be issued before the indicated date, but it will not be issued any later than the indicated date.

    When displaying this field is selected in the CRL tree and is displayed on the panel in the right side, the date held by it is verified against the current date, and if the date is exceeded, a red notice message will be displayed under the field as a reminder that maybe a newer CRL has been issued;

  • Signature Algorithm

    The algorithm that was used for the signature of the current CRL;

  • Issuer

    The name of the entity that signed and issued the CRL. In this field, the issuer identity is carried. Alternative name forms may also appear in the Iissuer Alternative Name extension.

    The value of this field is not displayed entirely in the CRL tree next to the node between brackets, only a part of it is shown. The full issuer details can be seen in the right panel when clicking on the node;

  • Extensions

    The extensions of the CRL. According to the RFC 5280, this field may only appear if the version is 2. If present, this field contains one or more CRL extensions.

    The value of this field is not displayed entirely next to the node between brackets. Only the number of extensions is displayed. The full details about the extensions can be seen in the right panel when clicking in the extensions node;

  • Revoked Certificates

    This field contains the list of revoked certificates. When there are no revoked certificates, this list is absent.

    The revoked certificates are displayed as child nodes of this CRL tree node. The Revoked Certificates List node on its own displays only the number of revoked certificates. Also, the list of revoked certificates can be seen in the right panel by clicking on the Revoked Certificates List node.

The CRL tree contains one more node, ASN.1, which contains the ASN.1 representation of the current CRL. The value of this node can be viewed in the right panel when it is selected.

CRL Extensions

CRL extensions provide methods for associating additional attributes with CRLs. These extensions can be marked as critical or non-critical.

CERTivity can display the following CRL extensions, defined in the RFC 5280:

  • Authority Key Identifier

    This extension provides a means of identifying the public key corresponding to the private key used to sign a CRL;

  • Issuer Alternative Name

    This extension allows additional identities to be associated with the issuer of the CRL;

  • CRL Number

    This extension contains a monotonically increasing sequence number for a given CRL scope and CRL issuer. This extension allows users to easily determine when a particular CRL superseedes another CRL. CRL numbers also support the identification of complementary complete CRLs and delta CRLs;

  • Delta CRL Indicator

    The delta CRL indicator identifies the CRL as being a delta CRL. Delta CRLs contain updates to revocation information previously distributed rather than all the information that would appear in a complete CRL;

  • Issuing Distribution Point

    This extension identifies the CRL distribution point and scope for a particular CRL and it indicates wether the CRL covers revocation for end entity certificates only, CA certificates only, attribute certificates only or a limited set of reason codes;

  • Freshest CRL (or Delta CRL Distribution Point)

    This extension identifies how delta CRL information for this complete CRL is obtained.

  • Authority Information Access

    This extension defines the use of the Authority Information Access extension in a CRL.

Also, the following CRL Entry extensions can be displayed by CERTivity:

  • Reason Code

    This extension identifies the reason for the certificate revocation. The possible reason codes are:

    • unspecified;

    • keyCompromise;

    • cACompromise;

    • affiliationChanged;

    • superseded;

    • cessationOfOperation;

    • certificateHold;

    • removeFromCRL;

    • privilegeWithdrawn;

    • aACompromise.

  • Invalidity Date

    This extension provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid. This date may be earlier than the revocation date in the CRL entry;

  • Certificate Issuer

    This extension identifies the certificate issuer associated with an entry in an indirect CRL, that is, a CRL that has the indirectCRL indicator set in its issuing distribution point extension. When present, the certificate issuer CRL entry extension includes one or more names from the issuer field and/or issuer alternative name extension of the certificate that corresponds to the CRL entry.

More information about the CRL and CRL Entry extensions can be found in the RFC 5280.

Revoked Certificates

The revoked certificates (if present) can be viewed in CERTivity either by selecting the Revoked Certificates List node, which will display a table in the right panel containing the information about these certificates, either by expanding the Revoked Certificates List node and selecting its child nodes, which will display the available fields of the revoked certificate in the right panel. Also, each revoked certificate node can be expanded to see individual fields.

For a revoked certificate, the following fields will be displayed:

  • Serial number;

  • Revocation Date;

  • Extensions.

The number of revoked certificates present in the CRL can be seen next to the Revoked Certificates List node, in brackets.