Certificate Revocation List (CRL)

A Certificate Revocation List (CRL) is a mechanism used by a certificate authority (CA) to revoke a signed certificate if it was issued in error or if the private key has potentially been compromised.

When the CA responds to the Certificate Signing Request (CSR) and signs the certificate, a data field is added to the SSL certificate that specifies the CRL distribution endpoint(s). At this endpoint, the CA publishes a new CRL file at intervals it defines. When a certificate is deemed revoked or invalid, the CA adds its signature to the CRL on the publish date.

If the HTTPS client finds the SSL certificate on the CRL, the certificate will be considered invalid and will no longer be trusted by the client. Depending on the client's configuration, failure to reach the CRL endpoint may be treated the same as finding the SSL certificate on the CRL, resulting in the certificate being considered invalid. Although this is a temporary false positive, it will still prevent communication. The Client Application Loader (CAL) client, Labor Management driver, and Gift and Loyalty drivers all treat a failure to reach a CRL endpoint as encountering an untrusted SSL server.

With the Online Certificate Status Protocol (OCSP), instead of the SSL certificate specifying where to download a list of revoked certificates, it includes the address of an OCSP responder. When the certificate hash is provided to the responder, it returns whether the certificate is valid or invalid. OCSP stapling is a process where the server requests a validation response from the OCSP responder and, for a specified period, provides this response to the client during the SSL/TLS handshake. This eliminates the need for the client to download a potentially large CRL. Simphony does not support OCSP or OCSP stapling.