[openssl-users] Should I / How to remove expired certificates from CRL

Michael Wojcik Michael.Wojcik at microfocus.com
Thu Feb 9 13:18:29 UTC 2017

If you remove expired certificates from the CRL, then CRL consumers have no way of knowing whether a certificate was revoked before it expired, and thus no way of knowing whether a timestamped signature made with the corresponding key is valid.

This is a complex issue, because CRL bloat is a real problem. (That's why we have delta CRLs in the first place.) There's a CRL extension (expiredCertsOnCRL) that should be used if the CRL includes expired certificates.

I've seen a number of discussions on this topic, in such places as the IETF PKIX list. See for example this thread:

It seems to be difficult to find relevant material with simple web searches, though. The search terms are too common.

I'm sure there are other people on the list who know more about current practices in this area than I do.

Michael Wojcik 
Distinguished Engineer, Micro Focus 

More information about the openssl-users mailing list