Kindly requesting assistance in clarifying the location where CRL URL should be obtained in order to do CRL validation on a X509 certificate since it was not specifically clear in the specification [1].
- Should we extract the CRL URL from the certificate itself or from the issuer certificate associated with the validating certificate?
- Furthermore, if the default behavior is to obtain the CRL URL from the certificate itself and if the CRL URl is unavailable in the certificate itself, is it customary to obtain it from the issuer certificate?
Any assistance on these two questions would be greatly appreciated.
[1] - https://datatracker.ietf.org/doc/html/rfc5280
According to other communities and docs, it seemed to me that getting CRL URL from the certificate itself (which the issuer signed) is the default way.
from the certificate being validated.
no. URL in issuer certificate is used to validate issuer certificate's revocation status, not current certificate. If URL is unavailable, or otherwise failing, the application shall report "revocation offline" error.