A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted. CRLs are maintained by CAs and contain certificates that have either been irreversibly revoked or have been marked as temporarily invalid. The CRL does not include expired certificates. CRLs are generated and published periodically, often at a defined interval, and can also be published immediately after a certificate has been revoked. The certificates for which a CRL should be maintained are often X.509/public key certificates, as this format is commonly used by PKI schemes. The main purpose of a CRL is for CAs to make it known that a sites digital certificate is not trustworthy. It warns a sites visitors not to access the site, which may be fraudulently impersonating a legitimate site, and also protects visitors from man-in-the-middle attacks.