Day 27: CRL Structure and Distribution

Phase 1 · June 9, 2026

Agenda (2–3 hours)

• Read (75 min): RFC 5280 §5 (CRL and CRL Extensions), §4.2.1.13 (CRL Distribution Points)
• Study (30 min): CRL structure, distribution, delta CRLs
• Practice (45 min): Download and parse a real CRL
• Challenge (30 min): Rust CRL checker

CRL Structure

CertificateList ::= SEQUENCE {
    tbsCertList          TBSCertList,
    signatureAlgorithm   AlgorithmIdentifier,
    signatureValue       BIT STRING
}

TBSCertList ::= SEQUENCE {
    version           INTEGER OPTIONAL,     -- v2 = 1
    signature         AlgorithmIdentifier,
    issuer            Name,
    thisUpdate        Time,                 -- when this CRL was issued
    nextUpdate        Time OPTIONAL,        -- when the next CRL will be issued
    revokedCertificates SEQUENCE OF ... OPTIONAL,
    crlExtensions     [0] EXPLICIT Extensions OPTIONAL
}

Revoked Certificate Entry

SEQUENCE {
    userCertificate     CertificateSerialNumber,
    revocationDate      Time,
    crlEntryExtensions  Extensions OPTIONAL
}

Reason codes (CRL entry extension): unspecified, keyCompromise, cACompromise,
affiliationChanged, superseded, cessationOfOperation, certificateHold, removeFromCRL,
privilegeWithdrawn, aACompromise.

For provisioning: if you revoke due to key compromise, use keyCompromise (not unspecified).
This signals that the key itself is untrusted, not just the cert.

CRL Distribution Points (CDP)

Extension in end-entity and intermediate certs:

CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
DistributionPoint ::= SEQUENCE {
    distributionPoint [0] DistributionPointName OPTIONAL,
    reasons           [1] ReasonFlags OPTIONAL,
    cRLIssuer         [2] GeneralNames OPTIONAL
}

Typical CDP value: URI: http://crl.pki.amazon.com/r1.crl

Clients download the CRL from this URL periodically and cache it.

Delta CRLs

Full CRLs can be large (millions of revoked certs for large CAs).

Delta CRL: contains only revocations since a base CRL.

client: I have base CRL #42
server: here's delta CRL for base #42 (only new revocations)

Client merges delta into cached base CRL.

For most private PKIs: full CRLs are small enough that delta CRLs aren't needed.
But for AWS-scale certificate issuance, delta CRLs matter.

Practice Exercise

# Extract CDP URL from a cert
openssl s_client -connect amazon.com:443 2>/dev/null | \
  openssl x509 -noout -text | grep -A2 "CRL Distribution"

# Download the CRL
curl -s http://crl.rootca1.amazontrust.com/root-ca1.crl -o /tmp/amazon.crl

# Parse the CRL
openssl crl -in /tmp/amazon.crl -inform DER -noout -text | head -30

# Check if a specific serial is in the CRL
openssl crl -in /tmp/amazon.crl -inform DER -noout -text | grep -i "serial"

Challenge Assignment

Write a Rust program that:

1. Reads a PEM certificate from a file
2. Extracts the CRL Distribution Point URL(s) using x509-parser
3. Downloads the CRL via HTTP (reqwest or ureq)
4. Parses the CRL to extract the revoked serial numbers list
5. Checks whether the input certificate's serial number is in the revoked list
6. Prints: "REVOKED" / "NOT REVOKED" / "CRL UNAVAILABLE"

Use x509-parser's CRL parsing support.
This is a simplified version of what your provisioning service does internally.

Resources

• RFC 5280 §5: Certificate Revocation Lists
• RFC 5280 §4.2.1.13: CRL Distribution Points extension
• x509-parser: CRL parsing support (parse_x509_crl)
• reqwest or ureq for HTTP download