I’ve been reading about certificate management and I’m a bit confused. What’s the difference between Certificate Revocation List (CRL) and Certificate Transparency (CT) logs? Aren’t they both used to check the validity of certificates?
Certificate Revocation List (CRL) v/s Certificate Transparency (CT) logsSolved
Replies (5)
Hey @monty,
I see where the confusion comes from! While both CRL and CT logs relate to certificates, they serve very different purposes. A CRL (Certificate Revocation List) is used to keep track of certificates that have been revoked by the Certificate Authority (CA) before they expire. It’s essentially a list of certificates that should no longer be trusted, even if they’re still within their validity period.
On the other hand, Certificate Transparency (CT) logs are not about revoked certificates—they’re public logs that record every certificate a CA issues. The idea is to make the issuance process more transparent, allowing anyone to monitor and identify problems like misissued certificates. It only records the issuance of certificates, not whether they are revoked or still valid
So, I can check the CRL to see if my certificate is still trustworthy. But how does the CT logs help in that case?
Exactly! You’d check the CRL to see if your certificate has been revoked. If it’s not on the list, it’s still considered valid and trustworthy. CRLs are all about ensuring that certificates that are no longer safe are flagged and removed from use. For instance, if the private key associated with your certificate gets compromised, the CA can revoke your certificate and add it to the CRL. That way, any browser or system trying to use that certificate will know it’s no longer trustworthy.
On the other hand, CT logs help ensure that certificates are issued properly. For example, if someone tries to issue a certificate for your domain without your knowledge, it will appear in the CT logs, and you could catch it early. CT logs help prevent misissuance, but they don’t handle the validity status of a certificate.
Okay, so CRL focuses on keeping revoked certificates from being used, and CT logs are more about catching problems at the time of issuance?
Exactly! CRL acts like a “revoked list” to block the use of certificates that are no longer trustworthy. CT logs are like a “public ledger” showing every certificate that was issued, so any missteps in the issuance process can be spotted early.
-
Expand