[openssl-users] Should I / How to remove expired certificates from CRL

Jakob Bohm jb-openssl at wisemo.com
Thu Feb 9 13:16:50 UTC 2017

On 09/02/2017 10:58, PM Extra wrote:
> Should I remove expired certificates from CRL?
> If so, how to do this?
Depends if any relying parties are checking old signatures "as of"
some securely recorded date of receiving the signature.

In that case, they will still need to be able to see, in the latest
CRL, if and when a (now expired) certificate was revoked before it
expired.  This is also the reason it can be important to add a
"backdated" revocation to a CRL, e.g. if a breach of a private key
has been detected as happening around a specific time.  As always
there is the fundamental issue of deciding if the party reporting
loss of a private key is lying to deny responsibility for something
that was recently signed by that party.

So I would not remove actual revocations from CRL lists, but would
instead rotate issuing intermediary certificates such that a new
intermediary (with its own CRL) is introduced a few times/year.
   Some time after all certificates issued by an old intermediary
expire, but before the intermediary itself expires, it should sign
a "final" CRL that doesn't expire.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list