Certificate revocation lists
You can revoke certificates when the key or CA has been compromised, or the certificate is no longer valid for the original purpose. CAs maintain a list of revoked certificates.
The default certificate revocation list (CRL) only applies to locally-signed certificates that are created by Sophos Firewall and is automatically added to the CRL when you add a new CA.
For externally-created certificates, you must upload a CRL from the corresponding external CA.