RSA Certificate Manager 6.8
Keon Certificate Authority
Certificate Revocation List (CRL)
Does RCM keep certificates on CRL when they expired?
====================
Revocation
When a certificate is issued, it is expected to be in use for its entire validity period. However, various circumstances may cause a certificate to become invalid prior to the expiration of the validity period. Such circumstances include change of name, change of association between subject and CA (e.g., an employee terminates employment with an organization), and compromise or suspected compromise of the corresponding private key. Under such circumstances, the CA needs to revoke the certificate.
====================
The first check that a client system should make when examining a certificate is whether it has a valid date; this check may be done locally and quickly. Then the client may read through a local CRL to make an online CRL check if a certificate has been revoked.
This sequence of events means that a CRL will never need to list expired certificates since the validity check will have already taken place.
We will keep the expired certificates on one CRL following expiration. We can keep expired certs on CRL for certain days based on configuration parameter in xudad.conf.
Here are the details:
To retain expired certificates in revocation lists:
1. Locate the xudad.conf file at installed dir\Xudad\conf.
2. Open xudad.conf using a text editor. Add the following directive under the caoperations section:
keep_expired_certs_on_crl_and_arl value
where value can be one of the following numbers:
Any negative number This keeps expired certificates in revocation lists until the directive is changed. (for example, -1)
Any positive number This is the number of days to keep expired certificates in revocation lists (for example, 100 keeps expired certificates for 100 days).
0 This removes expired certificates from revocationlists. It is the default behavior when there is no directive.
For an example of the caoperations section in xudad.conf, see ?Promptpin? on page 69.
3. Restart Certificate Manager.
Related Articles
Authentication Manager Security Console and Operations Console Inaccessible After Certificate Update Number of Views How to Replace the Web Server Certificate for the RSA Identity Governance & Lifecycle Web Console Number of Views RSA Authentication Manager and Self-Signed Certificates Number of Views How to delete old or pending certificate signing requests for RSA Authentication Manager console or virtual host replaceme… Number of Views RSA Authentication Manager Operations Console fails to display virtual host certificates Number of Views
Trending Articles
RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide RSA SecurID software token .sdtid file fails to import into RSA SecurID Software Token 5.0 for Windows Emergency Access for Cloud Access Service Users RSA Authentication Manager 8.9 Release Notes (January 2026) How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device
