CRL still included in 6-day certificates

Issuance Policy
1

As of today 6-day certificates still include CRL.

        X509v3 CRL Distribution Points: 
            Full Name:
              URI:http://ye1.c.lencr.org/50.crl

Yet the blog posts about the upcoming 6-day certificates mentioned that CRL would not be included.

Announcing Six Day and IP Address Certificate Options in 2025 · January 16, 2025:

Our six-day certificates will not include OCSP or CRL URLs.

We Issued Our First Six Day Cert · February 20, 2025:

Our six-day certificates will not include OCSP or CRL URLs.

That first six day cert did not include CRL.

6-day and IP Address Certificates are Generally Available · January 15, 2026:
No mention of CRL.

I’m wondering why CRL is still present after all.

2

IIRC microsoft root program didn't remove CRL or OCSP requirement for short life certificate so LE had to keep it.

All issuing CA certificates must contain either a CDP extension with a valid CRL and/or an AIA extension to an OCSP responder. An end-entity certificate may contain either an AIA extension with a valid OCSP URL and/or a CDP extension pointing to a valid HTTP endpoint containing the CRL. If an AIA extension with a valid OCSP URL is NOT included, then the resulting CRL File should be <10MB.
Program Requirements - Microsoft Trusted Root Program | Microsoft Learn

3 Likes
3

Ref: Shortlived profile certificate revocation

5 Likes
4

I'm not sure how you get a CRL within the CRL Distribution Points extension (RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile), so I guess only OSCP can be used for CA certificates.

Also, the current location for the Program Requirements - Microsoft Trusted Root Program is https://aka.ms/RootCert.

Edit: This comment was not to assert non-compliance, just that the requirements are poorly written. The requirements also do not reflect current practice such as still allowing Root CA certificates to sign OCSP responses.