For firewall purposes, trying to identify the cert revocation URL's for the major root CA's. Are these documented somewhere?
In addition to Crypt32's answer you should be able to get a CRL from a certificate itself. For instance if you look at the certificate for https://www.google.com (using a browser) you can see a CRL distribution point of http://crl.pki.goog/GTS1O1.crl The two certificates above it in the chain also have CRLs.