Digital certificates and key management
Certificate revocation mechanisms

A digital certificate can be revoked if, for example, the user is no longer in sole possession of the private key (for example, the token that contains the private key has been lost or stolen) and theferore the private-key is thought to have been compromised. Certificates may also be revoked if it is discovered that the certification authority (CA) has improperly issued a certificate, without complying with the requirements of security policy.

The most common mechanism to verify whether a certificate has been revoked is based on the use of a certificate revocation list (CRL). The CRL is a list of certificates (or, more specifically, a list of serial numbers for certificates) that have been revoked, and therefore should not be relied upon. The CRL is always issued by the CA which issues the corresponding certificates and is generated and published periodically, often at a defined interval. Every CA therefore needs a CRL.

Fig. 14 – Certificate Revocation List structure