CRL Watch

Certificate Authority Operators With CRL Problems

Operator# Affected Issuers

Certificate Issuers With CRL Problems

Issuer IDOperatorProblem TimeProblem

Methodology

CRL Watch downloads the AllCertificateRecordsCSVFormatv4 report from the CCADB to determine the CRL URLs for every certificate issuer, and uses the DownloadCRL function from the open source software.sslmate.com/src/crlutil Go package to download and parse the CRLs. If downloading or parsing fails, CRL Watch records the error on this page and tries again later. Note that CRL Watch is NOT a linter and does not do comprehensive checks for standards compliance. It only does basic sanity checks to ensure that a CA's CRL disclosure is valid and usable.

CRL Watch runs every 4 hours (44 minutes past 2, 6, 10, 14, 18, 22 UTC), so it may take up to 4 hours for CRL Watch to update after a new version of AllCertificateRecordsCSVFormatv4 is published.

Note that if a subject and key appears in multiple CA certificates, then CRL Watch will take the union of the CRL URLs disclosed for each certificate, and treat them as belonging to a single issuer. Any errors will be associated with the issuer rather than an individual certificate. This means that to fix problems reported by CRL Watch, you may need to update more than one CCADB record. To view information about the issuer, including a list of its certificates, click the issuer ID in the table.

Troubleshooting Tips

"error parsing [URL]: CRL issuer ([ISSUER]) does not match CA subject ([SUBJECT])"

[ISSUER] and [SUBJECT] are hex-encoded DER. You can decode using a command such as xxd -r -p | openssl asn1parse -inform DER or der2ascii -hex (get der2ascii here), or you can use asn1.js in your browser.

Possible cause: The DER encoding of [URL]'s Issuer is not byte-for-byte identical to the DER encoding of the Subject of the CA certificate in the CCADB. Note that if different ASN.1 string types are used, the DER will not be byte-for-byte identical.

Fix: Reissue the CRL to contain an Issuer that matches the CA certificate's Subject.

Possible cause: The CCADB disclosure(s) contain the wrong URL.

Fix: Update the CCADB to reference a CRL with the correct Issuer.

Remember:

"error parsing [URL]: Issuing Distribution Point does not contain expected URL"

Possible cause: The CRL at [URL] is either missing an Issuing Distribution Point extension, or the extension is present but doesn't contain a URL which is byte-for-byte identical to [URL].

Fix: Reissue the CRL to contain [URL] in the IDP extension.

Possible cause: The CCADB disclosure(s) contain the wrong URL.

Fix: Update the CCADB to reference a CRL that has the right IDP extension.

Remember:

"[URL] has incorrect Content-Type [CONTENT-TYPE]"

Per RFC 5280, the RECOMMENDED Content-Type of CRL responses is application/pkix-crl. While there may exist valid reasons in particular circumstances to ignore this recommendation, the full implications must be understood and carefully weighed before choosing a different course. If you have a valid reason to use a different Content-Type, please open an issue to explain your reasoning. Otherwise, you need to fix your web server to serve the correct Content-Type for [URL].

CSV Feeds of CRL Problems

Check a CRL Disclosure

Enter the values exactly as they would appear in the CCADB (see CCADB documentation).

Issuer ID
crt.sh
Subject
Subject (DER)
SPKI (SHA-256)
SPKI (DER)
Certificates
Disclosed CRLs