Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=CRLManage

Certificate revocation lists

Certificates are revoked, for example, when the private key or CA has been compromised or the certificate is no longer valid for the original purpose. CAs maintain a list of revoked certificates.

  • You can only revoke locally-signed certificates in the firewall. The firewall automatically updates the default certificate revocation list (CRL) with the revoked certificate details.

    To download a CRL, click Download for the CA you want. You can then extract the .crl file from the .tar file.

  • For externally-generated certificates, you must upload a CRL from the corresponding external CA.