CRL Distribution Points Explained

CRL Distribution Points (CDP) is an X.509 extension that lists one or more URLs where the issuing CA publishes its Certificate Revocation List (CRL). A CRL is a signed list of all certificates the CA has revoked before their expiry date.

How CRLs Work

A CRL is a file published by the CA at regular intervals (typically every few hours to once per day). The file contains:

• The CA's identity
• The time the CRL was issued and the time the next update is expected
• A list of revoked certificate serial numbers with revocation dates and reasons
• The CA's digital signature over the entire list

Browsers and TLS clients can download this list and check locally whether a certificate's serial number appears in it.

CRL vs. OCSP

CRLs and OCSP both serve the same purpose — providing revocation status — but differ in approach:

• CRL: Batch download of the entire revocation list. Can be large (megabytes for busy CAs). Cached locally. Works offline after download.
• OCSP: Real-time query for a specific certificate's status. Faster for small-scale checks. Requires network access.

Modern deployments typically use OCSP (with stapling) for TLS, but CRLs remain important for certificate pinning, code signing, and enterprise PKI where offline checking matters.

Reading CDP in the Decoder

The CRL Distribution Points extension in the decoder output shows one or more URI: entries pointing to .crl files. For example, a DigiCert certificate might show http://crl3.digicert.com/DigiCertGlobalRootCA.crl. You can download this URL to inspect the raw CRL.