Knowledge Base

On September 15, 2026, all public DigiCert TLS certificates will contain Certificate Revocation List Distribution Point (CRLDP) URLs that point to a smaller, partitioned CRLDP that will contain a subset of all revocations. The smaller, partitioned CRLs will collectively contain all the revoked certificates.

This URL will point to a partitioned CRL containing revoked certificates from the issuing ICA. This article refers to the issuing ICA certificate as the CRL scope. Each partitioned CRL will be limited to approximately 9.5 MB.

No action is required. For standard HTTPS traffic, certificate revocation checking is typically handled automatically by web browsers, operating systems, and other software.

In this Article

• Why DigiCert is using partitioned CRLs
• Will DigiCert continue publishing complete CRLs?
• How CRL partitioning works
• How does this affect me?
• Background

Why DigiCert is using partitioned CRLs

DigiCert is moving to partitioned CRLs to reduce reliance on large complete CRLs for public TLS certificates issued from DigiCert ICA certificates. Each partitioned CRL is limited to approximately 9.5 MB.

Partitioned CRLs help improve scalability and performance in large public key infrastructure (PKI) environments by reducing the amount of revocation data that clients need to download and process

For newly issued public TLS certificates, the Certificate Revocation List Distribution Point (CDP) extension will contain a URL for a partitioned CRL instead of a complete CRL. Aside from the smaller scope of the CRL, the revocation-checking process remains the same and follows standard CRL distribution practices. DigiCert Online Certificate Status Protocol (OCSP) services and behavior are not affected by CRL partitioning.

Will DigiCert continue publishing complete CRLs?

Yes, complete CRLs remain available.

DigiCert continues to publish complete CRLs to:

• CCADB
• DigiCert CRL servers

How CRL partitioning works

Currently, DigiCert includes two complete CDP URLs in public TLS certificates. Beginning September 15, 2026, DigiCert will include one CDP URL, and it will point to a partitioned CRL.

Example of a partitioned CDP URL:

URI: http://crl3.digicert.com/DigiCertEVRSACAG2-1.crl

Example of a complete CDP URL:

URI: http://crl3.digicert.com/DigiCertEVRSACAG2.crl

Note: A complete CRL contains all revoked certificates for the applicable CRL scope. A partitioned CRL contains revoked certificates for a partition within that same scope. Revocation data included in a partitioned CRL is also included in the complete CRL.

How does this affect me?

The move to partitioned CRLs does not require any action.

Web browsers, devices, customer applications, and libraries typically manage certificate revocation checking for standard HTTPS traffic.

Background

Certificate Authorities (CAs) must publish revocation information for revoked certificates using Certificate Revocation Lists (CRLs).

When DigiCert revokes a TLS certificate, the certificate serial number is added to the appropriate CRL.

TLS certificates include CRL Distribution Point (CDP) information that tells Web browsers, devices, applications, and libraries where to retrieve revocation information. Then, they can use this CRL information to determine whether a certificate has been revoked.

Learn about CRLs and revoked certificates.