000025704 - Are expired certificates removed from a CRL?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025704
Applies ToRSA Certificate Manager (RCM)
RSA Certificate Manager 6.8
Keon Certificate Authority
Certificate Revocation List (CRL)
IssueAre expired certificates removed from a CRL?
Does RCM keep certificates on CRL when they expired?
CauseIf a certificate is suspended (or revoked before its configured expiry date), the certificate details may be placed in a CRL (certificate revocation list). Once the expiry of the certificate is passed, the entry is removed from the CRL.
ResolutionThis is the correct behavior for a CRL as defined in RFC 3280 Internet X.509 Public Key Infrastructure April 2002 and in the following statement:


When a certificate is issued, it is expected to be in use for its entire validity period. However, various circumstances may cause a certificate to become invalid prior to the expiration of the validity period. Such circumstances include change of name, change of association between subject and CA (e.g., an employee terminates employment with an organization), and compromise or suspected compromise of the corresponding private key. Under such circumstances, the CA needs to revoke the certificate.

The first check that a client system should make when examining a certificate is whether it has a valid date; this check may be done locally and quickly. Then the client may read through a local CRL to make an online CRL check if a certificate has been revoked.

This sequence of events means that a CRL will never need to list expired certificates since the validity check will have already taken place.



  We will keep the expired certificates on one CRL following expiration. We can keep expired certs on CRL for certain days based on configuration parameter in xudad.conf.

Here are the details:

To retain expired certificates in revocation lists:

1. Locate the xudad.conf file at installed dir\Xudad\conf.

2. Open xudad.conf using a text editor.
Add the following directive under the caoperations section:

keep_expired_certs_on_crl_and_arl value

where value can be one of the following numbers:
  Any negative number This keeps expired certificates in revocation lists until the directive is changed. (for example, -1)
  Any positive number This is the number of days to keep expired certificates in revocation lists (for example, 100 keeps expired certificates for 100 days).
  0 This removes expired certificates from revocation
lists. It is the default behavior when there is no directive.

For an example of the caoperations section in xudad.conf, see ?Promptpin? on page 69.

3. Restart Certificate Manager.

Legacy Article IDa16567