Certificate Revocation Lists

In some cases, a CA must revoke a certificate before the certificate’s validity period expires. When a certificate is revoked, the CA includes the serial number of the certificate and the reason for the revocation in the CRL.



A relying party should reject a certificate that is revoked.

Types of CRLs

Windows Server 2008 supports the issuance of two types of CRLs: base CRLs and delta CRLs.

A base CRL contains the serial numbers of all certificates revoked on a CA that are still time valid, as well as the reason for each revocation. A base CRL contains all time-valid revoked certificates signed by a CA’s specific private ...

Get Windows Server® 2008 PKI and Certificate Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.