A Certificate Revocation List (CRL) is a ByteString containing the DER encoded form (see X690) of an X.509 v3 CRL. The CRL is issued by certifying authority and contains the serial numbers of the Certificates issued by that authority which are no longer valid. All CRLs shall have the extension defined in Table 46. The extension is defined completely in RFC 5280.

Table 49 – Certificate Revocation List Extensions

Extension

Description

authorityKeyIdentifier

Provides more information about the key used to sign the CRL.