> How can I get rid of the expired certificates in the revocation > list? When I > do openssl ca -gencrl -out revocationlist.crl -config myconfig.cfg the > revoked certificates that are also expired are added into the > list. It is no > use to store them there because the revocation list grows bigger > and bigger > that way.
Make sure this is correct for the type of certificate you are using. For email, code signing, and other stored communication certificates, this is the wrong thing to do. Suppose I receive a program signed with a key. Even though that key expired two years ago, I still care whether it was revoked. If it was revoked -- especially if it was revoked before it signed the program -- then I don't want to run the program. If it just expired normally, there is no reason not to trust the program. Similarly, you may look at an email you received last year and it may matter whether the key that signed it was revoked or not. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
