1. CRL Request Trigger Timing & Frequency #

Let’s start with the "when" and "how often" of CRL requests—this stuff can feel opaque at first, so I’ll break it down plainly:

• Trigger moments:
  • First-time certificate check: The first time your system or app validates xyz.com’s certificate, it’ll check if it already has a valid, unexpired CRL for the issuer. If not, it’ll send a request straight to the CDP (myissuer.com/thelist.crl).
  • CRL expiration: Every CRL has a Next Update timestamp baked right into it. Once your cached CRL hits that timestamp, the next time the certificate needs validation, your system will pull a fresh copy from the CDP.
  • Manual validation: If you manually trigger a revocation check (like clicking the padlock in your browser, viewing the certificate, and selecting "Check Revocation"), that’ll force a CRL lookup—and a request if the cached copy is stale.
  • Cache cleanup: Rarely, if your system or app clears its cache early (e.g., due to low storage), it might trigger a fresh CRL request before the Next Update time.
• Request frequency:
  • The main driver here is the Next Update value in the CRL itself. Most SSL certificate issuers set this to 24 hours, but it can range from a few hours to several days depending on the issuer’s policy.
  • Some older or custom apps might have their own cache overrides (e.g., forcing a refresh every 12 hours even if the CRL isn’t expired), but this is unusual in modern systems.

2. What Happens When You Manually Install a CRL? #

Manually adding the CRL to your system changes how revocation checks work:

• Local cache takes precedence: Once installed, your system or app will use the local CRL copy instead of reaching out to the CDP—until that local CRL hits its own Next Update time. That’s exactly why you’re not seeing requests to myissuer.com anymore after installing it.
• Quick installation examples by system:
  • Windows: Use certutil -addstore -f "CRL" C:\path\to\thelist.crl in Command Prompt, or open certmgr.msc, navigate to "Certificate Revocation Lists" under the relevant store (e.g., Trusted Root Certification Authorities), and import the file via the right-click menu.
  • macOS: Open Keychain Access, go to the "Certificates" tab, drag-and-drop the CRL file into the keychain, then adjust its trust settings as needed.
  • Linux: Copy the CRL to /etc/ssl/crls/ (or your distro’s equivalent directory) and update the system’s certificate config (often via /etc/ssl/openssl.cnf) to reference it.
• Critical note: Always download the CRL directly from the issuer’s official source. Installing an outdated or tampered CRL can lead to false positives (valid certificates marked as revoked) or false negatives (revoked certificates seen as valid).

内容的提问来源于stack exchange，提问作者CathalMF