Kindly requesting assistance in clarifying the location where CRL URL should be obtained in order to do CRL validation on a X509 certificate since it was not specifically clear in the specification [1].
Any assistance on these two questions would be greatly appreciated.
[1] - https://datatracker.ietf.org/doc/html/rfc5280
According to other communities and docs, it seemed to me that getting CRL URL from the certificate itself (which the issuer signed) is the default way.
Should we extract the CRL URL from the certificate itself or from the issuer certificate associated with the validating certificate?
from the certificate being validated.
Furthermore, if the default behavior is to obtain the CRL URL from the certificate itself and if the CRL URl is unavailable in the certificate itself, is it customary to obtain it from the issuer certificate?
no. URL in issuer certificate is used to validate issuer certificate's revocation status, not current certificate. If URL is unavailable, or otherwise failing, the application shall report "revocation offline" error.