Ask a Question

Advanced Search

Solution ID : SO28908

Last Modified : 05/02/2018

SSL Certificate Revocation List (CRL) IP Addresses

Solution

The Certificate Revocation List (CRL) is a list of certificates that have been suspended or revoked prior to their expiration dates. It is digitally signed by an IA and issued periodically or as needed. We have upgraded our SSL Certificate Revocation List (CRL) infrastructure on May 6, 2013 to provide faster responses and a better experience for our customers.

Some benefits:

  • Faster response time – CRL requests will be served from the closest location to the user with a dramatically improved average response time.
  • 100+ additional new sites – more sites handling CRL request means improved availability and reliability all over the globe.

It is strongly recommended that any firewall policies and/or access control devices use URLs and not IP addresses. Thawte can change these IP addresses at any time without notification. If possible, white-list the below entry on your firewall policies and/or access control devices to ensure seamless access to our CRL services:

*.Thawte.com

Below is the full list of our CRL FQDN (Fully Qualified Domain Name):

Note: If white-listing wildcard entries is not permitted, you can white-list the below entries:

ta1.symcb.com
tb1.symcb.com
tc1.symcb.com
td1.symcb.com
te1.symcb.com
tf1.symcb.com
tg1.symcb.com
th1.symcb.com
ti1.symcb.com
tj1.symcb.com
tk1.symcb.com
tl1.symcb.com
ta.symcb.com
tb.symcb.com
tc.symcb.com
td.symcb.com
te.symcb.com
tf.symcb.com
tg.symcb.com
th.symcb.com
ti.symcb.com
tj.symcb.com
tk.symcb.com
tl.symcb.com
tm.symcb.com
tn.symcb.com
to.symcb.com

 

Below is the full list of our CRL IP Addresses:

Get the full list of IP addresses 

Note: If your corporate firewall is configured to allow only a certain set of IP addresses to be accessed from your network, you'll need to take the following actions:

  • Install or add the IP addresses to your existing list – do not replace the old IP addresses and your existing rules for Thawte CRL IP addresses should not be deleted.
  • Test outbound connectivity. Below is a full list of IP addresses for outbound connectivity test.
    List of Test URLs
    When you are testing the IP’s, please note that not all 128 IP's are 'up' all the time. When testing connectivity with one of the IP’s you may not get a response from the IP. This is by design because those IP's are technically 'out of rotation' and won't be resolved to when a DNS query is made against the CRL service.