Ask a Question

Advanced Search

Solution ID : SO28908

Last Modified : 05/02/2018

SSL Certificate Revocation List (CRL) IP Addresses


The Certificate Revocation List (CRL) is a list of certificates that have been suspended or revoked prior to their expiration dates. It is digitally signed by an IA and issued periodically or as needed. We have upgraded our SSL Certificate Revocation List (CRL) infrastructure on May 6, 2013 to provide faster responses and a better experience for our customers.

Some benefits:

  • Faster response time – CRL requests will be served from the closest location to the user with a dramatically improved average response time.
  • 100+ additional new sites – more sites handling CRL request means improved availability and reliability all over the globe.

It is strongly recommended that any firewall policies and/or access control devices use URLs and not IP addresses. Thawte can change these IP addresses at any time without notification. If possible, white-list the below entry on your firewall policies and/or access control devices to ensure seamless access to our CRL services:


Below is the full list of our CRL FQDN (Fully Qualified Domain Name):

Note: If white-listing wildcard entries is not permitted, you can white-list the below entries:


Below is the full list of our CRL IP Addresses:

Get the full list of IP addresses 

Note: If your corporate firewall is configured to allow only a certain set of IP addresses to be accessed from your network, you'll need to take the following actions:

  • Install or add the IP addresses to your existing list – do not replace the old IP addresses and your existing rules for Thawte CRL IP addresses should not be deleted.
  • Test outbound connectivity. Below is a full list of IP addresses for outbound connectivity test.
    List of Test URLs
    When you are testing the IP’s, please note that not all 128 IP's are 'up' all the time. When testing connectivity with one of the IP’s you may not get a response from the IP. This is by design because those IP's are technically 'out of rotation' and won't be resolved to when a DNS query is made against the CRL service.