An analysis of Certificate Revocation List (CRL) sizes from various Certificate Authorities (CA)

Data on CRL availability, number of entries, expiry & refresh times, etc. from various x509 leaf server SSL certificates.

In light of Let's Encrypt announcing their Intent to End OCSP Service in favour of Certificate Revocation Lists (CRLs), we assembled some data today to guide our own roadmap.

CRL URLs are automatically allowed* in DiscrimiNAT Firewall for every TLS FQDN explicity allowed (from v2.7.0). This was done off the back of a specific customer request and we thought it was a great idea as well. Automatic allowlisting of OCSP URLs was put on the roadmap at the time but now with Let's Encrypt's announcement, we wanted to reconsider its importance.

* CRL Endpoints of x509 SSL certificates, which are over plaintext HTTP, are now automatically allowed for all TLS FQDNs allowlisted. Only HTTP methods HEAD and GET are allowed to these URLs from only the clients that otherwise have the TLS FQDNs (to which these CRL Endpoints belong) allowed.

Data

Discuss on Hacker News | Discuss on Reddit | Discuss on Twitter | Discuss on LinkedIn | Discuss on Mastodon

As CSV: download

As table:

CA Org	CA CN	CRL URL	Uncompressed Size	Number of Entries	HTTP Cache-Control maxage	HTTP Expires	CRL Next Update	Compressed Response	Compressed Size	SSL Cert for CRL URL
Let's Encrypt	R3	not disclosed†								https://www.nih.gov
Let's Encrypt	R10	not disclosed†								https://slack.com/intl/en-gb/
Let's Encrypt	R11	not disclosed†								https://www.quora.com/
Let's Encrypt	E5	not disclosed†								https://stackoverflow.com/
Let's Encrypt	E6	not disclosed†								https://uk.indeed.com/
Cloudflare, Inc.	Cloudflare Inc ECC CA-3	http://crl3.digicert.com/CloudflareIncECCCA-3.crl	337	2	7200		7 days	n	318	https://discord.com/
Cloudflare, Inc.	Cloudflare Inc ECC CA-3	http://crl4.digicert.com/CloudflareIncECCCA-3.crl	337	2	7200		7 days	n	318	https://discord.com/
Amazon	Amazon RSA 2048 M01	http://crl.r2m01.amazontrust.com/r2m01.crl	137783	3922	7200		7 days	n	83634	https://www.imdb.com/
Amazon	Amazon RSA 2048 M01	http://crl.r2m01.amazontrust.com/r2m01.crl	137783	3922	7200		7 days	n	83634	https://*.cloudfront.net/
Amazon	Amazon RSA 2048 M01	http://crl.r2m01.amazontrust.com/r2m01.crl	137783	3922	7200		7 days	n	83634	https://*.s3.amazonaws.com
Amazon	Amazon RSA 2048 M02	http://crl.r2m02.amazontrust.com/r2m02.crl	577796	16493	7200		7 days	n	340430	https://www.figma.com/
Amazon	Amazon RSA 2048 M03	http://crl.r2m03.amazontrust.com/r2m03.crl	502847	14352	7200		7 days	n	294913	https://wetransfer.com/
Google Trust Services	WR2	http://c.pki.goog/wr2/oBFYYahzgVI.crl	6729	297	3000		10 days	n	6728	https://www.google.com/
Google Trust Services	WR2	http://c.pki.goog/wr2/9UVbN0w5E6Y.crl	7166	318	3000		10 days	n	7160	https://www.youtube.com/
Google Trust Services	WR2	http://c.pki.goog/wr2/75r4ZyA3vA0.crl	7410	329	3000		10 days	n	7414	https://ad.doubleclick.net
Google Trust Services	WR2	http://c.pki.goog/wr2/GSyT1N4PBrg.crl	7275	325	3000		10 days	n	7276	https://www.blogger.com/
Google Trust Services	WE1	http://c.pki.goog/we1/ygWPENklvpM.crl	420	3	3000		10 days	n	410	https://chatgpt.com/auth/login
Google Trust Services	WE1	http://c.pki.goog/we1/H9bdJBu1Tvg.crl	490	5	3000		10 days	n	472	https://www.canva.com/en_gb/
Google Trust Services	WE1	http://c.pki.goog/we1/T58q3x0jyXI.crl	418	3	3000		10 days	n	407	https://www.notion.so/
Google Trust Services	WE1	http://c.pki.goog/we1/FARePxy0M2M.crl	346	1	3000		10 days	n	354	https://www.sciencedirect.com/
Google Trust Services	WE1	http://c.pki.goog/we1/OhMZjmT1BfY.crl	527	6	3000		10 days	?	490	https://www.hubspot.com/
DigiCert Inc	DigiCert SHA2 High Assurance Server CA	http://crl3.digicert.com/sha2-ha-server-g6.crl	4172	88	7200		7 days	n	2803	https://www.facebook.com/
DigiCert Inc	DigiCert SHA2 High Assurance Server CA	http://crl4.digicert.com/sha2-ha-server-g6.crl	4172	88	7200		7 days	n	2803	https://www.facebook.com/
DigiCert Inc	DigiCert Global G2 TLS RSA SHA256 2020 CA1	http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl	11978628	331613	7200		7 days	n	6777256	https://x.com/
DigiCert Inc	DigiCert Global G2 TLS RSA SHA256 2020 CA1	http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl	11978628	331613	7200		7 days	n	6777256	https://x.com/
DigiCert Inc	DigiCert TLS Hybrid ECC SHA384 2020 CA1	http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl	5027	97	7200		7 days	n	2729	https://www.wikipedia.org/
DigiCert Inc	DigiCert TLS Hybrid ECC SHA384 2020 CA1	http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl	5027	97	7200		7 days	n	2729	https://www.wikipedia.org/
DigiCert Inc	DigiCert TLS RSA SHA256 2020 CA1	http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl	2243019	63316	7200		7 days	n	1262022	https://www.reddit.com/
DigiCert Inc	DigiCert TLS RSA SHA256 2020 CA1	http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl	2243019	63316	7200		7 days	n	1262022	https://www.reddit.com/
DigiCert Inc	RapidSSL ECC CA 2018	http://cdp.rapidssl.com/RapidSSLECCCA2018.crl	793	14	7200		7 days	n	699	https://www.tiktok.com/explore
DigiCert Inc	DigiCert Global CA G2	http://crl3.digicert.com/DigiCertGlobalCAG2.crl	11096	270	7200		7 days	n	6906	https://www.amazon.com/
DigiCert Inc	DigiCert Global CA G2	http://crl4.digicert.com/DigiCertGlobalCAG2.crl	11096	270	7200		7 days	n	6906	https://www.amazon.com/
DigiCert Inc	DigiCert SHA2 Secure Server CA	http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl	9503275	271422	7200		7 days	n	5532533	https://www.linkedin.com/
DigiCert Inc	DigiCert SHA2 Secure Server CA	http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl	9503275	271422	7200		7 days	n	5532533	https://www.linkedin.com/
DigiCert Inc	DigiCert Secure Site ECC CA-1	http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl	2608	66	7200		7 days	n	1888	https://www.netflix.com/gb/
DigiCert Inc	DigiCert Secure Site ECC CA-1	http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl	2608	66	7200		7 days	n	1888	https://www.netflix.com/gb/
DigiCert Inc	GeoTrust TLS RSA CA G1	http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl	1320449	36690	7200		7 days	n	784105	https://www.binance.com/en-GB
DigiCert Inc	GeoTrust RSA CA 2018	http://cdp.geotrust.com/GeoTrustRSACA2018.crl	8686	192	7200		7 days	n	5210	https://www.samsung.com/uk/
DigiCert Inc	DigiCert SHA2 Extended Validation Server CA	http://crl3.digicert.com/sha2-ev-server-g3.crl	445824	11510	7200		7 days	n	233542	https://www.paypal.com/uk/home
DigiCert Inc	DigiCert SHA2 Extended Validation Server CA	http://crl4.digicert.com/sha2-ev-server-g3.crl	445824	11510	7200		7 days	n	233542	https://www.paypal.com/uk/home
DigiCert Inc	Thawte RSA CA 2018	http://cdp.thawte.com/ThawteRSACA2018.crl	5184	116	7200		7 days	n	3367	https://www.nytimes.com/
DigiCert Inc	DigiCert Global G3 TLS ECC SHA384 2020 CA1	http://crl3.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crl	17144	389	7200		7 days	n	9584	https://cambridge.craigslist.org/
DigiCert Inc	DigiCert Global G3 TLS ECC SHA384 2020 CA1	http://crl4.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crl	17144	389	7200		7 days	n	9584	https://cambridge.craigslist.org/
DigiCert Inc	DigiCert EV RSA CA G2	http://crl3.digicert.com/DigiCertEVRSACAG2.crl	665536	16305	7200		7 days	n	335230	https://www.wellsfargo.com/
DigiCert Inc	DigiCert EV RSA CA G2	http://crl4.digicert.com/DigiCertEVRSACAG2.crl	665536	16305	7200		7 days	n	335230	https://www.wellsfargo.com/
Sectigo Limited	Sectigo RSA Organization Validation Secure Server CA	http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl	2959076	81170	3600		7 days	n	1703270	https://www.ebay.com/
GlobalSign nv-sa	GlobalSign Atlas R3 DV TLS CA 2024 Q1	http://crl.globalsign.com/ca/gsatlasr3dvtlsca2024q1.crl	358832	10237	3600		7 days	n	212997	https://www.forbes.com/
GlobalSign nv-sa	GlobalSign RSA OV SSL CA 2018	http://crl.globalsign.com/gsrsaovsslca2018.crl	143299	4284	3600		7 days	n	76738	https://www.gov.uk/
GlobalSign nv-sa	GlobalSign GCC R3 DV TLS CA 2020	http://crl.globalsign.com/gsgccr3dvtlsca2020.crl	50256	1559	3600		7 days	n	28419	https://soundcloud.com/
GlobalSign nv-sa	GlobalSign Atlas R3 DV TLS CA 2023 Q4	http://crl.globalsign.com/ca/gsatlasr3dvtlsca2023q4.crl	365412	10399	3600		7 days	n	216810	https://www.theguardian.com/uk
GlobalSign nv-sa	GlobalSign Atlas R3 DV TLS CA 2024 Q2	http://crl.globalsign.com/ca/gsatlasr3dvtlsca2024q2.crl	85279	2422	3600		7 days	n	52582	https://www.twitch.tv/
GlobalSign nv-sa	GlobalSign Atlas R3 DV TLS CA 2024 Q3	http://crl.globalsign.com/ca/gsatlasr3dvtlsca2024q3.crl	12133	333	3600		7 days	n	7636	https://edition.cnn.com/
GlobalSign nv-sa	GlobalSign ECC OV SSL CA 2018	http://crl.globalsign.com/gseccovsslca2018.crl	1305	29	3600		7 days	n	982	https://www.bbc.co.uk/
GlobalSign nv-sa	AlphaSSL CA - SHA256 - G4	http://crl.globalsign.com/alphasslcasha256g4.crl	33509	1033	3600		7 days	n	19047	https://www.researchgate.net/
GoDaddy.com, Inc.	Go Daddy Secure Certificate Authority - G2	http://crl.godaddy.com/gdig2s1-8229.crl	141209	3392	-	2 days	7 days	n	49050	https://telegram.org/
GoDaddy.com, Inc.	Go Daddy Secure Certificate Authority - G2	http://crl.godaddy.com/gdig2s1-14080.crl	24374	569	-	2 days	7 days	n	7736	https://archive.org/
Microsoft Corporation	Microsoft Azure RSA TLS Issuing CA 07	http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007.crl	7389	127	-	-	8 days	n	3190	https://www.microsoft.com/en-gb/microsoft-365/outlook/email-and-calendar-software-microsoft-outlook
Microsoft Corporation	Microsoft Azure RSA TLS Issuing CA 08	http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008.crl	4737	76	-	-	8 days	n	2266	https://www.office.com/
Microsoft Corporation	Microsoft Azure ECC TLS Issuing CA 04	http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004.crl	363	0	-	-	8 days	n	353	https://www.bing.com/
Apple Inc.	Apple Public EV Server RSA CA 2 - G1	http://crl.apple.com/apevsrsa2g1.crl	973	14	3600		7 days	n	886	https://www.apple.com/
Certainly	Certainly Intermediate R1	-								https://open.spotify.com/
Entrust, Inc.	Entrust Certification Authority - L1M	http://crl.entrust.net/level1m.crl	1604629	36824	-	-	7 days	n	856211	https://www.chase.com/
Entrust, Inc.	Entrust Certification Authority - L1K	http://crl.entrust.net/level1k.crl	3309031	79411	-	-	7 days	n	1901158	https://www.espn.co.uk/
COMODO CA Limited	COMODO ECC Organization Validation Secure Server CA	http://crl.comodoca.com/COMODOECCOrganizationValidationSecureServerCA.crl	91641	2569	3600		7 days	n	56594	https://www.ups.com/gb/en/Home.page

† Our new CRL URLs will be disclosed only in CCADB, so that the Apple and Mozilla root programs can consume them without exposing them to potentially large download traffic from the rest of the internet at large. Source: https://letsencrypt.org/2022/09/07/new-life-for-crls.html

Observations

Work In Progress. Please follow these threads on social media for updates in the time being.

Discuss on Hacker News | Discuss on Reddit | Discuss on Twitter | Discuss on LinkedIn | Discuss on Mastodon