From time to time, Certificate Authorities (CAs) issue certificate revocation lists (CRLs). CRLs contain information about certificates that can no longer be trusted. For example, suppose Ann leaves XYZ Corporation. The company can place Ann's certificate on a CRL to prevent her from signing messages with that key.
Similarly, you can revoke a certificate if a private key is compromised or if that certificate expired and a new one is in use. Before you trust a public key, make sure that the certificate does not appear on a CRL.
NetScaler Gateway supports the following two CRL types:
- CRLs that list the certificates that are revoked or are no longer valid
- Online Certificate Status Protocol (OSCP), an Internet protocol used for obtaining the revocation status of X.509 certificates