Certificate Revocation List (CRL)
How Do Browsers Handle Revoked SSL/TLS Certificates? - SSL.com Introduction. Checking the revocation status of SSL/TLS certificates presented by HTTPS websites is an ongoing problem in web security. Unless a server is configured to use OCSP Stapling, online revocation checking by web browsers is both slow and privacy-compromising.Because online OCSP queries fail so often and are impossible in some situations (such as with captive portals), browsers ComodoCA Official Site | Comodo SSL Certificates Official Site Buy your Comodo SSL certificates directly from the No.1 Certificate Authority powered by Sectigo (formerly Comodo CA). Fast service with 24/7 support. Over 20 years of SSL Certificate Authority! AD FS Troubleshooting - Certificates | Microsoft Docs SSL certs need to be trusted by the clients; Token signing certificates need to be trusted by the relying parties; Check the trust chain - every cert in the chain needs to be valid. Verify the certificate expiration date; Check Certificate Revocation List (CRL) accessibility Make sure the CDP field is populated; Manually browse to the CDP
Certificate Revocation List (CRL)
How to revoke the certificate and generate a CRL with openssl Oct 26, 2019
In a recent question, I outlined the steps for verifying a wildcard SSL certificate for connecting to PostgreSQL from a remote client (using the same wildcard certificate I use for my web server).Although I resolved that problem, one lingering thing I haven't yet figured out is how to confirm I have the correct CRL(s) for my certificate.
Using HTTPS to serve CRL is just wasted resources; it may even prevent CRL download from working since some implementations (e.g. Windows) refuse to follow HTTPS URL when validating certificates (be it for CRL, OCSP, or extra intermediate CA download), because that would mean SSL, then another certificate to validate, and possibly an endless loop. Sectigo removes CRL support in newly issued certificates Apr 04, 2019