Expired certificates appear in CRL when include expired certificates is disabled
Steps to Reproduce:
On ca console, for the crl issuing point { crl_1 } enable crl generation disable to include expired certs in the crl leave the rest as defaults Issue 6 user certs that expire in 5 minutes Update CRL after 6 minutes Goto the CA agent page and view the Revocation list PrettyPrintCrl the generated crls.
Actual results:
Expired certs are listed
Expected results:
Expired certs should not be listed
Additional info:
Created attachment 1064505 in associated bug CA debug log
jmagne tried this out and got it to work as expected.
The key is , after the revoked cert goes out of validity due to the passage of time, we need to make sure the CertStatusUpdate thread has had a chance to run. This thread will take our EXPIRED cert into the REVOKED_EXPIRED state.
From there the CRL code knows how to filter REVOKED_EXPIRED certs from its list.
This was verified by rpattath.
Closing ticket as invalid.
Metadata Update from @rpattath: - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2131
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.