The source from where I learn states:-
CRL (Certificate Revocation List) is the primary means of checking status of certificates offline.
But I can't seem to understand how is it possible for a single device (smartphone, computer etc) to store the status of every single certificate that has been revoked in existence? Won't the certificate dump become a little too big incorporating every single certificate that has been revoked?
Each CA has their own revocation list. When your device validates a certificate, it determines what CA was used to sign it, downloads the CRL (whose URL is included in the CA certificate) and checks if the serial number of the certificate is included in it.
Since all certificates have expiration dates, then any certificate in a CRL can be removed from the CRL when it expires. This prevents the CRL from growing forever.
That being said, CRL aren't used anymore by many clients, which now rely on other mechanisms like OCSP stapling.
The end entities (phones, PCs, etc.) doesn't store the CRL files. I mean doesn't store permanently. :)
In the Certificate there's a field called CRL Distribution Points where the CRL file could be downloaded. These files are issued by the CA and contains the list of revoked certificates. While the validation process this file is downloaded and checked against the certificate Serial#.
If the list doesn't contain the Serial# that means it isn't revoked. That doesn't mean it is valid, but not revoked.
Since these files could grow extremely large, downloading every certificate validation is not the best practice because it causes huge network load. That's why CRL cache is used where the validator can cache the downloaded CRL file and checked there periodically. BUT it could give false-negative result if the certificate was revoked and new CRL file is issued in the cached timeframe.
