shieldCISSP Practice Domain 3 — Security Architecture and Engineering Q22 of 120

In a public-key infrastructure, what does a CRL contain?

A CISSP practice question covering Domain 3: Security Architecture and Engineering. Try answering before reading the explanation below.

▶ Show options & answer

Certificates that are still valid

Certificates that have been revoked before their expiration

✓ Correct answer

All issued certificates regardless of status

Trusted root certificates only

Why "Certificates that have been revoked before their expiration" is the right answer

A Certificate Revocation List enumerates certificates revoked early (compromise, role change, etc.). OCSP is the live-query alternative. Valid certificates are not on a CRL — only those whose trust was withdrawn before natural expiry.

Study videos for this topic

Want to go deeper on Domain 3? Watch the full breakdown — every video is free, no account, no upsell.

CISSP Domain 3: Bell-LaPadula vs Biba (No More Mix-Ups)

Domain 3 — Security Architecture and Engineering

CISSP Domain 3: TPM, Reference Monitor, and TCB

Domain 3 — Security Architecture and Engineering

CISSP Domain 3: Cloud, ICS, IoT & Container Vulnerabilities

Domain 3 — Security Architecture and Engineering

CISSP Crypto: Which Key for Privacy vs Signing?

Domain 3 — Security Architecture and Engineering

Take the full CISSP practice test

120 questions, instant explanations, study-video links on every miss. No account.

Start full test →

In a public-key infrastructure, what does a CRL contain?

Study videos for this topic

Other practice tests