What happens when a certificate is revoked?

The CA adds the certificate's serial number to its CRL and OCSP responses. Properly checking clients (browsers, server TLS libraries) refuse connections presenting revoked certificates. However, many clients cache old CRLs or skip revocation checking for performance.

Does every browser check CRLs?

Modern browsers largely do not check individual CRLs for performance reasons. Chrome uses CRLSets (pre-downloaded revocation lists for high-value certificates). Firefox uses CRLite (a probabilistic filter). Safari and Edge use OS-level revocation checking.

How long does certificate revocation take to propagate?

CRL propagation depends on CRL TTL (typically 1-7 days). OCSP is near-real-time but subject to caching (15-60 minutes). For immediate effect after a private key compromise, contact your CA for emergency revocation and notify affected clients directly.

CRL Checker | DevTools Surf

DevTools Surf

About CRL Checker

CRL Checker preview - Security / Crypto tool

Check Certificate Revocation Lists (CRL) for certificate revocation status. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

Verify a certificate has not been revoked before trusting it in a critical system
Debug TLS certificate revocation errors in production
Audit certificate status across a fleet of servers
Understand the difference between CRL and OCSP revocation mechanisms

Tips

Enter the certificate's CRL Distribution Point URL from the certificate's extensions — paste it directly into the checker rather than manually fetching the CRL
CRLs are cached and may be several hours old; check the 'this update' and 'next update' fields to know how stale the list is
For time-sensitive revocation checking, prefer OCSP (Online Certificate Status Protocol) over CRLs — OCSP provides real-time status per certificate

Fun Facts

The first CRL (Certificate Revocation List) was introduced in X.509 v2 in 1993. CRLs grew so large (some CA CRLs exceed 100MB) that OCSP was developed in 1999 as a lighter alternative — though CRLs remain in use for intermediate CA revocation.
When DigiNotar, a Dutch CA, was compromised in 2011 and issued fraudulent certificates for Google, Mozilla, and other major sites, browser vendors had to hard-code revocation because CRL/OCSP checking had known delays. The incident led to Google developing Certificate Transparency.
OCSP stapling (RFC 6961, 2013) allows web servers to include a signed OCSP response in the TLS handshake, avoiding the client-side lookup latency. Chrome deprecated OCSP checking in 2020 in favor of CRLSets — a compressed revocation list pushed via software update.

FAQ

What happens when a certificate is revoked?: The CA adds the certificate's serial number to its CRL and OCSP responses. Properly checking clients (browsers, server TLS libraries) refuse connections presenting revoked certificates. However, many clients cache old CRLs or skip revocation checking for performance.
Does every browser check CRLs?: Modern browsers largely do not check individual CRLs for performance reasons. Chrome uses CRLSets (pre-downloaded revocation lists for high-value certificates). Firefox uses CRLite (a probabilistic filter). Safari and Edge use OS-level revocation checking.
How long does certificate revocation take to propagate?: CRL propagation depends on CRL TTL (typically 1-7 days). OCSP is near-real-time but subject to caching (15-60 minutes). For immediate effect after a private key compromise, contact your CA for emergency revocation and notify affected clients directly.

Related Security / Crypto Tools

Hash Generator v2 HMAC Generator v2 JWT Encoder Bcrypt Hash Tester HMAC Generator Password Strength Analyzer TOTP / 2FA Generator SAML Response Decoder