A certificate revocation list (CRL) is used to validate digital certificates before they are used to access sensitive online data. A CRL is issued by the certificate authority and is generated and published on a set schedule. CRLs are only valid within a specified time frame, usually 24 hours or less. During this validity period, the CRL is consulted to validate a certificate before it is used.

Therefore, in order for a Public Key Infrastructure to perform effectively, one must have access to accurate and up-to-date certificate revocation lists.

Certificates on Hold

A certificate with a 'held' status, while technically considered revoked, is reversible and is generally used to indicate a temporary invalidity of a certificate.

Expired Certificates

Affixing a certificate with an expiration date is not an adequate substitute for a CRL. While it is true that all expired certificates are invalid, not all unexpired certificates are trustworthy. Mistakes and human error in certificate vetting are natural occurrences in real world operations.


Online Certificate Status Protocol is an alternative to using CRLs. OCSP uses less network bandwidth, which enables near real-time status checks. Such rapid status checks are advantageous in high volume mobile device operations like AirWatch.

There is also less data to parse when responding to an OCSP request, which means client-side libraries designed to handle these requests are less complex.