Sunday, December 20, 2009

What's in a CRL?

When studying for the Security+ exam, you may run across the following objective:

“Explain core concepts of public key cryptography.” This objective includes a listing of several related topics including Certification Revocation List (CRL)

This blog on SSL, OCSP and CRLs   talked about the relationship of SSL, OCSP and CRLs, but you may be wondering what a CRL actually is. In short, a CRL is a certificate that holds the serial numbers of revoked certificates.

As a little background, a certificate holds a public key but it holds a lot more. You can view one in Internet Explorer by clicking Tools, Internet Options, Content, Certificates, Trusted Root Certification Authority, selecting a certificate and clicking View. Click the Details tab and you can see all the contents.
The following figure shows the details on a Verisign root certificate. The public key is selected and the public key is shown in the bottom pane.  But notice also that the the first field showing is the serial number.  The serial number is used to uniquely identify a certificate. Select serial number and you can see the serial number (which is important for this conversation). Select the Public Key and you can view the actual Public Key.

This public key is part of a matched public/private key pair. When data is encrypted with the public key it can only be decrypted by the private key (which is commonly done with SSL).  When data is encrypted with the private key, it can only be decrypted with the public key (which is commonly done with digital signatures).

If the private key ever becomes compromized, the certificate needs to be revoked so that it is no longer used. How can the certficate be untiquely identified?  With the serial number.  A certificate authority (CA) issues the certificate and if the matching private key for the certificate becomes compromized, the certificate is published on a Certificate Revocation List (CRL pronounced as crill).

CA's commonly publish the CRL as a version 2 certificate as shown in the following figure.  This CRL has only one certificate, but it's much more common for a CRL to have multiple revoked certificates.

Hope this helps you with your studies.

Darril Gibson

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide
includes a full chapter on cryptography.
Over 375 practice test questions to help you pass Security+ the first time.