unski schrieb:
Are you sure? There are scenarios where it might suddenly become relevant to know if a (maybe long expired) certificate has been revoked at a specific (long ago) time? And the CRL only stores the serial number of a revoked cert, which is typically only a few bytes of data per cert.How can I get rid of the expired certificates in the revocation list? When I do openssl ca -gencrl -out revocationlist.crl -config myconfig.cfg the revoked certificates that are also expired are added into the list. It is no use to store them there because the revocation list grows bigger and bigger that way.
If you know what you are doing you might just delete the lines you don't want to have in the CRL from the database-file (usually "index" or "index.txt", depends on your openssl-config). But I'd advise to keep the deleted lines in some other file, just in case...
Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
