What does a Certificate Revocation List (CRL) contain?

A Certificate Revocation List (CRL) is a crucial component of public key infrastructure (PKI) that lists digital certificates that have been revoked before their expiration date. The revocation may occur for various reasons, such as the private key being compromised, the identity of the certificate holder being no longer valid, or the certificate having been issued in error.

The CRL is maintained by the certificate authority (CA) and serves as a mechanism for users to check the validity of certificates. When a certificate is revoked, it is added to the CRL, which is then made accessible to users and applications that rely on these certificates for secure communications. This ensures that any holder of a certificate can verify if the certificate in question is still trustworthy.

In contrast, the other options are related to different aspects of cryptography and do not pertain to the purpose of a CRL. Keys for AES and RSA are encryption algorithms and do not relate to the revocation status of certificates. New certificates are issued by a CA and signify a fresh entry into the PKI system, rather than documenting the revocation of existing certificates. Thus, understanding the role of a CRL is essential for anyone involved in managing or utilizing digital certificates within secure communications.