Efficient Certificate Revocation at Scale Using AWS Private CA

Introduction

Managing private certificates at scale can be challenging, especially when you have thousands (or millions) of certificates to issue and revoke. Traditionally, a Certificate Revocation List (CRL) grows with every revoked certificate, which can become unwieldy and inefficient. To address this, AWS has recently enhanced AWS Private CA with support for partitioned CRLs, dramatically expanding scale, reducing overhead, and making certificate revocation more efficient.

In this post, we’ll explain:

What a partitioned CRL is (vs. a complete CRL)

What changes with AWS Private CA now that it supports it

Benefits and best practices

How to enable partitioned CRLs

Complete CRL vs Partitioned CRL — Understanding the Difference

Complete CRL (Traditional way)

• The CA maintains a single CRL file listing every revoked (and unexpired) certificate.
• With a complete CRL, the maximum number of certificates per CA (with revocation enabled) is 1 million.
• As certificates are revoked, this list grows, and performance, bandwidth, or processing on clients can degrade (especially for large deployments or IoT devices).

Partitioned CRL (New approach)

• The CA breaks the revocation list into multiple smaller CRL partitions. Each partition is a separate CRL file.
• Each issued certificate has in its metadata an Issuer Distribution Point (IDP) extension, a unique URI that tells clients exactly which CRL partition to check.
• With partitioned CRLs, a single CA can manage up to 100 million certificates (instead of 1 million).
• The CA remains standards-compliant (RFC 5280), and clients that respect IDP and CRL Distribution Point (CDP) extensions will work seamlessly.

In short, partitioned CRLs enable you to scale dramatically, keeping revocation lists manageable, performant, and efficient, even for massive deployments.

What This Means for AWS & Your PKI?

With support for partitioned CRLs, AWS Private CA becomes much more powerful for large-scale environments. Here are the core benefits:

• Large-scale certificate issuance — You no longer need to create multiple CAs just to stay under the 1 M cert limit. A single CA can now support up to 100 M certificates.
• Better performance & lower overhead — Smaller CRL partitions reduce download time, memory footprint, and processing load on clients (especially important for IoT devices, internal services, or constrained endpoints).
• Simplified CA management — Revocation remains efficient, CA rotation and issuance workflows are streamlined, and you eliminate the need for complex CA sprawl just to support scale.
• Backward-compatible and standards-compliant — Partitioned CRL is optional. Existing CAs with complete CRL continue to work, new or migrated CAs can enable partitioning seamlessly.
• Improved revocation responsiveness — When a certificate is revoked, only the relevant partition needs updating. Clients validate against a smaller set, making revocation propagation faster and more reliable.

How to Enable Partitioned CRLs in AWS Private CA?

If you run AWS Private CA and want to scale up, here’s how to enable partitioned CRLs (even on existing CAs):

• Open the AWS Management Console → Private Certificate Authorities.
• Select the CA you want to configure.
• Go to the Revocation configuration tab.
• Click Edit.
• Enable CRL distribution (if not already enabled).
• Under CRL settings, check Enable partitioning.
• (Optional) Set a Custom CRL Name / Custom Path, useful if you want to control the name or URL clients use to fetch CRLs.
• Save changes.

Once enabled, AWS Private CA will automatically partition CRLs as needed. Certificates issued will reference the correct partition via the IDP extension, and revocation will scale smoothly.

Best Practices & Considerations

• Client compatibility — Ensure that clients validating certificates support IDP and CRL Distribution Point extensions. Because IDP is marked as critical, clients that do not understand it may reject certificates.
• CRL distribution endpoint — Use a reliable Amazon S3 bucket or internal distribution point, especially if clients are internal or on-prem. Consider custom CNAMEs for easier client configuration.
• Monitoring & logging — Monitor revocation list updates and CA activity. AWS services, such as Amazon CloudWatch, Amazon S3 access logs, or integration with audit pipelines, help maintain visibility and compliance.
• Plan the CA lifecycle carefully — With the higher limit, you can avoid frequent CA rotation. But still plan for key rollover, certificate retirement, and revoke-when-compromised policies.
• Use OCSP alongside (if possible) — For some clients, OCSP may be more efficient than CRL, especially when frequent revocations occur and real-time status matters.

Conclusion

The addition of partitioned CRL support is a significant upgrade to AWS Private CA. It removes one of the biggest scaling roadblocks for private certificate infrastructure, the 1 million-certificate limit.

If you are running or planning a large-scale internal PKI, or you anticipate high certificate issuance and revocation rates, enabling partitioned CRLs should be among your top priorities.

Drop a query if you have any questions regarding AWS Private CA and we will get back to you quickly.

About CloudThat