On March 12, 2025, Let’s Encrypt will start including CRL (Certificate Revocation List) URLs in certificates we issue, in addition to the OCSP URLs we already include. This is part of our previously announced changes to deprecate support for OCSP. CRLs and OCSP are two different mechanisms to fetch certificate revocation information. As of May 7, 2025, we will stop including OCSP URLs in certificates.
We’ve been operating CRL services since 2022, with a list of all our CRL URLs in the Common CA Database. What’s changing now is that each certificate will include a link to the CRL it will appear on if revoked.
Server operators do not need to make any changes. Some TLS clients may begin fetching CRLs from Let’s Encrypt, which could affect users with strict outgoing firewalls.
This change is live in our staging environment now.