diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c
--- a/lib/libfetch/common.c
+++ b/lib/libfetch/common.c
@@ -1083,6 +1083,13 @@
 			    ca_cert_path);
 		else
 			SSL_CTX_set_default_verify_paths(ctx);
+		if (getenv("SSL_CRL_VERIFY") != NULL) {
+			if (verbose)
+				fetch_info("CRL verification enabled");
+			X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(ctx),
+			    X509_V_FLAG_CRL_CHECK |
+			    X509_V_FLAG_CRL_CHECK_ALL);
+		}
 		if ((crl_file = getenv("SSL_CRL_FILE")) != NULL) {
 			if (verbose)
 				fetch_info("Using CRL file: %s", crl_file);
diff --git a/lib/libfetch/fetch.3 b/lib/libfetch/fetch.3
--- a/lib/libfetch/fetch.3
+++ b/lib/libfetch/fetch.3
@@ -24,7 +24,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd October 7, 2023
+.Dd November 4, 2024
 .Dt FETCH 3
 .Os
 .Sh NAME
@@ -420,6 +420,10 @@
 A certificate revocation list (CRL) can be used by setting the
 environment variable
 .Ev SSL_CRL_FILE
+to the respective file containing the CRL,
+or by setting the environment variable
+.Ev SSL_CRL_VERIFY
+to look for the CRL in the configured trust store file or path
 (see
 .Xr crl 1 ) .
 .Pp