Skip to main content

An analysis of Certificate Revocation List (CRL) sizes from various Certificate Authorities (CA)

· 8 min read

Data on CRL availability, number of entries, expiry & refresh times, etc. from various x509 leaf server SSL certificates.

In light of Let's Encrypt announcing their Intent to End OCSP Service in favour of Certificate Revocation Lists (CRLs), we assembled some data today to guide our own roadmap.

CRL URLs are automatically allowed* in DiscrimiNAT Firewall for every TLS FQDN explicity allowed (from v2.7.0). This was done off the back of a specific customer request and we thought it was a great idea as well. Automatic allowlisting of OCSP URLs was put on the roadmap at the time but now with Let's Encrypt's announcement, we wanted to reconsider its importance.

* CRL Endpoints of x509 SSL certificates, which are over plaintext HTTP, are now automatically allowed for all TLS FQDNs allowlisted. Only HTTP methods HEAD and GET are allowed to these URLs from only the clients that otherwise have the TLS FQDNs (to which these CRL Endpoints belong) allowed.

Data

Discuss on Hacker News | Discuss on Reddit | Discuss on Twitter | Discuss on LinkedIn | Discuss on Mastodon

As CSV: download

As table:

CA OrgCA CNCRL URLUncompressed SizeNumber of EntriesHTTP Cache-Control maxageHTTP ExpiresCRL Next UpdateCompressed ResponseCompressed SizeSSL Cert for CRL URL
Let's EncryptR3not disclosed†https://www.nih.gov
Let's EncryptR10not disclosed†https://slack.com/intl/en-gb/
Let's EncryptR11not disclosed†https://www.quora.com/
Let's EncryptE5not disclosed†https://stackoverflow.com/
Let's EncryptE6not disclosed†https://uk.indeed.com/
Cloudflare, Inc.Cloudflare Inc ECC CA-3http://crl3.digicert.com/CloudflareIncECCCA-3.crl337272007 daysn318https://discord.com/
Cloudflare, Inc.Cloudflare Inc ECC CA-3http://crl4.digicert.com/CloudflareIncECCCA-3.crl337272007 daysn318https://discord.com/
AmazonAmazon RSA 2048 M01http://crl.r2m01.amazontrust.com/r2m01.crl137783392272007 daysn83634https://www.imdb.com/
AmazonAmazon RSA 2048 M01http://crl.r2m01.amazontrust.com/r2m01.crl137783392272007 daysn83634https://*.cloudfront.net/
AmazonAmazon RSA 2048 M01http://crl.r2m01.amazontrust.com/r2m01.crl137783392272007 daysn83634https://*.s3.amazonaws.com
AmazonAmazon RSA 2048 M02http://crl.r2m02.amazontrust.com/r2m02.crl5777961649372007 daysn340430https://www.figma.com/
AmazonAmazon RSA 2048 M03http://crl.r2m03.amazontrust.com/r2m03.crl5028471435272007 daysn294913https://wetransfer.com/
Google Trust ServicesWR2http://c.pki.goog/wr2/oBFYYahzgVI.crl6729297300010 daysn6728https://www.google.com/
Google Trust ServicesWR2http://c.pki.goog/wr2/9UVbN0w5E6Y.crl7166318300010 daysn7160https://www.youtube.com/
Google Trust ServicesWR2http://c.pki.goog/wr2/75r4ZyA3vA0.crl7410329300010 daysn7414https://ad.doubleclick.net
Google Trust ServicesWR2http://c.pki.goog/wr2/GSyT1N4PBrg.crl7275325300010 daysn7276https://www.blogger.com/
Google Trust ServicesWE1http://c.pki.goog/we1/ygWPENklvpM.crl4203300010 daysn410https://chatgpt.com/auth/login
Google Trust ServicesWE1http://c.pki.goog/we1/H9bdJBu1Tvg.crl4905300010 daysn472https://www.canva.com/en_gb/
Google Trust ServicesWE1http://c.pki.goog/we1/T58q3x0jyXI.crl4183300010 daysn407https://www.notion.so/
Google Trust ServicesWE1http://c.pki.goog/we1/FARePxy0M2M.crl3461300010 daysn354https://www.sciencedirect.com/
Google Trust ServicesWE1http://c.pki.goog/we1/OhMZjmT1BfY.crl5276300010 days?490https://www.hubspot.com/
DigiCert IncDigiCert SHA2 High Assurance Server CAhttp://crl3.digicert.com/sha2-ha-server-g6.crl41728872007 daysn2803https://www.facebook.com/
DigiCert IncDigiCert SHA2 High Assurance Server CAhttp://crl4.digicert.com/sha2-ha-server-g6.crl41728872007 daysn2803https://www.facebook.com/
DigiCert IncDigiCert Global G2 TLS RSA SHA256 2020 CA1http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl1197862833161372007 daysn6777256https://x.com/
DigiCert IncDigiCert Global G2 TLS RSA SHA256 2020 CA1http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl1197862833161372007 daysn6777256https://x.com/
DigiCert IncDigiCert TLS Hybrid ECC SHA384 2020 CA1http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl50279772007 daysn2729https://www.wikipedia.org/
DigiCert IncDigiCert TLS Hybrid ECC SHA384 2020 CA1http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl50279772007 daysn2729https://www.wikipedia.org/
DigiCert IncDigiCert TLS RSA SHA256 2020 CA1http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl22430196331672007 daysn1262022https://www.reddit.com/
DigiCert IncDigiCert TLS RSA SHA256 2020 CA1http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl22430196331672007 daysn1262022https://www.reddit.com/
DigiCert IncRapidSSL ECC CA 2018http://cdp.rapidssl.com/RapidSSLECCCA2018.crl7931472007 daysn699https://www.tiktok.com/explore
DigiCert IncDigiCert Global CA G2http://crl3.digicert.com/DigiCertGlobalCAG2.crl1109627072007 daysn6906https://www.amazon.com/
DigiCert IncDigiCert Global CA G2http://crl4.digicert.com/DigiCertGlobalCAG2.crl1109627072007 daysn6906https://www.amazon.com/
DigiCert IncDigiCert SHA2 Secure Server CAhttp://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl950327527142272007 daysn5532533https://www.linkedin.com/
DigiCert IncDigiCert SHA2 Secure Server CAhttp://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl950327527142272007 daysn5532533https://www.linkedin.com/
DigiCert IncDigiCert Secure Site ECC CA-1http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl26086672007 daysn1888https://www.netflix.com/gb/
DigiCert IncDigiCert Secure Site ECC CA-1http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl26086672007 daysn1888https://www.netflix.com/gb/
DigiCert IncGeoTrust TLS RSA CA G1http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl13204493669072007 daysn784105https://www.binance.com/en-GB
DigiCert IncGeoTrust RSA CA 2018http://cdp.geotrust.com/GeoTrustRSACA2018.crl868619272007 daysn5210https://www.samsung.com/uk/
DigiCert IncDigiCert SHA2 Extended Validation Server CAhttp://crl3.digicert.com/sha2-ev-server-g3.crl4458241151072007 daysn233542https://www.paypal.com/uk/home
DigiCert IncDigiCert SHA2 Extended Validation Server CAhttp://crl4.digicert.com/sha2-ev-server-g3.crl4458241151072007 daysn233542https://www.paypal.com/uk/home
DigiCert IncThawte RSA CA 2018http://cdp.thawte.com/ThawteRSACA2018.crl518411672007 daysn3367https://www.nytimes.com/
DigiCert IncDigiCert Global G3 TLS ECC SHA384 2020 CA1http://crl3.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crl1714438972007 daysn9584https://cambridge.craigslist.org/
DigiCert IncDigiCert Global G3 TLS ECC SHA384 2020 CA1http://crl4.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crl1714438972007 daysn9584https://cambridge.craigslist.org/
DigiCert IncDigiCert EV RSA CA G2http://crl3.digicert.com/DigiCertEVRSACAG2.crl6655361630572007 daysn335230https://www.wellsfargo.com/
DigiCert IncDigiCert EV RSA CA G2http://crl4.digicert.com/DigiCertEVRSACAG2.crl6655361630572007 daysn335230https://www.wellsfargo.com/
Sectigo LimitedSectigo RSA Organization Validation Secure Server CAhttp://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl29590768117036007 daysn1703270https://www.ebay.com/
GlobalSign nv-saGlobalSign Atlas R3 DV TLS CA 2024 Q1http://crl.globalsign.com/ca/gsatlasr3dvtlsca2024q1.crl3588321023736007 daysn212997https://www.forbes.com/
GlobalSign nv-saGlobalSign RSA OV SSL CA 2018http://crl.globalsign.com/gsrsaovsslca2018.crl143299428436007 daysn76738https://www.gov.uk/
GlobalSign nv-saGlobalSign GCC R3 DV TLS CA 2020http://crl.globalsign.com/gsgccr3dvtlsca2020.crl50256155936007 daysn28419https://soundcloud.com/
GlobalSign nv-saGlobalSign Atlas R3 DV TLS CA 2023 Q4http://crl.globalsign.com/ca/gsatlasr3dvtlsca2023q4.crl3654121039936007 daysn216810https://www.theguardian.com/uk
GlobalSign nv-saGlobalSign Atlas R3 DV TLS CA 2024 Q2http://crl.globalsign.com/ca/gsatlasr3dvtlsca2024q2.crl85279242236007 daysn52582https://www.twitch.tv/
GlobalSign nv-saGlobalSign Atlas R3 DV TLS CA 2024 Q3http://crl.globalsign.com/ca/gsatlasr3dvtlsca2024q3.crl1213333336007 daysn7636https://edition.cnn.com/
GlobalSign nv-saGlobalSign ECC OV SSL CA 2018http://crl.globalsign.com/gseccovsslca2018.crl13052936007 daysn982https://www.bbc.co.uk/
GlobalSign nv-saAlphaSSL CA - SHA256 - G4http://crl.globalsign.com/alphasslcasha256g4.crl33509103336007 daysn19047https://www.researchgate.net/
GoDaddy.com, Inc.Go Daddy Secure Certificate Authority - G2http://crl.godaddy.com/gdig2s1-8229.crl1412093392-2 days7 daysn49050https://telegram.org/
GoDaddy.com, Inc.Go Daddy Secure Certificate Authority - G2http://crl.godaddy.com/gdig2s1-14080.crl24374569-2 days7 daysn7736https://archive.org/
Microsoft CorporationMicrosoft Azure RSA TLS Issuing CA 07http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007.crl7389127--8 daysn3190https://www.microsoft.com/en-gb/microsoft-365/outlook/email-and-calendar-software-microsoft-outlook
Microsoft CorporationMicrosoft Azure RSA TLS Issuing CA 08http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008.crl473776--8 daysn2266https://www.office.com/
Microsoft CorporationMicrosoft Azure ECC TLS Issuing CA 04http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004.crl3630--8 daysn353https://www.bing.com/
Apple Inc.Apple Public EV Server RSA CA 2 - G1http://crl.apple.com/apevsrsa2g1.crl9731436007 daysn886https://www.apple.com/
CertainlyCertainly Intermediate R1-https://open.spotify.com/
Entrust, Inc.Entrust Certification Authority - L1Mhttp://crl.entrust.net/level1m.crl160462936824--7 daysn856211https://www.chase.com/
Entrust, Inc.Entrust Certification Authority - L1Khttp://crl.entrust.net/level1k.crl330903179411--7 daysn1901158https://www.espn.co.uk/
COMODO CA LimitedCOMODO ECC Organization Validation Secure Server CAhttp://crl.comodoca.com/COMODOECCOrganizationValidationSecureServerCA.crl91641256936007 daysn56594https://www.ups.com/gb/en/Home.page

† Our new CRL URLs will be disclosed only in CCADB, so that the Apple and Mozilla root programs can consume them without exposing them to potentially large download traffic from the rest of the internet at large. Source: https://letsencrypt.org/2022/09/07/new-life-for-crls.html

Observations

Work In Progress. Please follow these threads on social media for updates in the time being.

Discuss on Hacker News | Discuss on Reddit | Discuss on Twitter | Discuss on LinkedIn | Discuss on Mastodon