|Applies To||RSA Certificate Manager (RCM)|
RSA Certificate Manager 6.8
Keon Certificate Authority
Certificate Revocation List (CRL)
|Issue||Are expired certificates removed from a CRL?|
Does RCM keep certificates on CRL when they expired?
|Cause||If a certificate is suspended (or revoked before its configured expiry date), the certificate details may be placed in a CRL (certificate revocation list). Once the expiry of the certificate is passed, the entry is removed from the CRL.|
|Resolution||This is the correct behavior for a CRL as defined in RFC 3280 Internet X.509 Public Key Infrastructure April 2002 and in the following statement:|
When a certificate is issued, it is expected to be in use for its entire validity period. However, various circumstances may cause a certificate to become invalid prior to the expiration of the validity period. Such circumstances include change of name, change of association between subject and CA (e.g., an employee terminates employment with an organization), and compromise or suspected compromise of the corresponding private key. Under such circumstances, the CA needs to revoke the certificate.
The first check that a client system should make when examining a certificate is whether it has a valid date; this check may be done locally and quickly. Then the client may read through a local CRL to make an online CRL check if a certificate has been revoked.
This sequence of events means that a CRL will never need to list expired certificates since the validity check will have already taken place.
We will keep the expired certificates on one CRL following expiration. We can keep expired certs on CRL for certain days based on configuration parameter in xudad.conf.
Here are the details:
|Legacy Article ID||a16567|