4

This and this answer says that "once a certificate has expired, the CA ceases to keep track of its revocation status".

I'm trying to learn how OpenSSL works as a CA. If I have a revoked expired certificate in my index.txt, then this certificate is not automatically excluded when generating a CRL.

So my questions is:

How do i keep the expired certificates from appearing on the CRL?

  • Should i delete all my expired certificates completely?
  • If so: do i need to manually edit index.txt to remove it from the database? (I cant find any arguments to openssl ca which deletes certificates from the database)
Community
  • 1
Stian Fauskanger
  • 195
  • 1
  • 8
  • There is a command in openssl to revoke a certificate. See [this question](http://security.stackexchange.com/questions/38413/why-does-openssl-need-the-private-key-to-revoke-a-certificate) about the command (the question is actually about a bug in this command). – Uwe Plonus Jul 09 '13 at 09:59
  • My question is not how to revoke a certificate, it's what to do with expired certificates – Stian Fauskanger Jul 09 '13 at 10:25

2 Answers2

8

The documentation does not talk about it, but a look at the OpenSSL source code, in the apps/ca.c file, seems to indicate that the -updatedb command-line option will trigger a pruning of the index.txt database, converting expired certificates to "expired" status, which replaces the previous "revoked" or "not revoked" status.

(OpenSSL is not the best documented of software packages, especially for the command-line tools. Source code reading is often necessary.)

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 1
    Thanks for your tip on source code reading. But -updatedb only changes valid to expired, so i still don't know what to do to exclude expired certificates from the CRL. – Stian Fauskanger Jul 09 '13 at 11:51
1

I don't see any reason why you couldn't manually delete them and remove any record of them having been created. I'm not sure if there is an automatic way or not. The point of keeping a listing of them is that someone needs to be able to check if the certificate is valid. If they have a valid date, then they will know that it isn't valid anymore regardless of if it had been revoked prior to expiration. The one thing that leaving it in the CRL would do is that someone with a bad clock would still know that it was expired as long as they could actually get ahold of the CRL.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110