1

Im trying to get my head around how Certificate Relocation Lists operate and how they update.

So say my server xyz.com has a certificate with a CRL Distribution Point configured as myissuer.com/thelist.crl

Now ive monitored the communication on my network using wireshark when connecting to xyz.com and i dont see any calls to myissuer.com to get the CRL.

So ive two questions:

  1. When does the call to the CRL Distribution Point actually occur and how often?

  2. If i download and install this CRL file manually does my client still try and connect to the configured CRL Distribution Point?

CathalMF
  • 9,705
  • 6
  • 70
  • 106

1 Answers1

2

When does the call to the CRL Distribution Point actually occur and how often?

The browser/client decides when to request the CRL. It could be "never"

If i download and install this CRL file manually does my client still try and connect to the configured CRL Distribution Point?

Usually yes, except if the client has its own cache with the CRL and the lifetime of the CRL has not expired.

What is not usual is that the client consults the system repository (e.g. windows keystore) to know if a crl is installed. Note that the CRL expires, so it's important to have an updated copy

See OCSP stapling if you want to optimize revocation checking for web sites https://en.wikipedia.org/wiki/OCSP_stapling

pedrofb
  • 37,271
  • 5
  • 94
  • 142