Gerd Schering wrote:That seems to be clear to me.
Hi,
It is possible (via the ca utility) to revoke certificates that already have expired.
Hard to say. The ITU X.509 standard says that if a certificate is revoked, it stays on the CRL for one CRL past its expiration date. In other words, if the order is: revoke, issue crl-1, expire, issue crl-2, then the cert should still be on crl-2; but not on crl-3 and beyond. The specification is not explicit about what to do if the order is expire, issue crl-1. My belief is that you do NOT put it on the CRL list.
But let me be somewhat more specific. If I use the openssl ca utility, it is technically possible to revoke a cert which has expired for instance for one year. If I generate a CRL (via the ca utility) the cert
appears on the CRL.
Does this make any sense?
Gerd -- ------------------------------------------------------ -- Gerd Schering, Email: [EMAIL PROTECTED] -- ------------------------------------------------------
smime.p7s
Description: S/MIME Cryptographic Signature
