Escalated to Bugzilla from IssueTracker
Target fix to 8.0
User nkwan's account has been closed
This issue is now fixed in 8.0.
It appears there are options for now for CRL content publishing: Include expired certificates Include certificates one extra time after their expiration Is this bug because these did not work, or is this a new feature to address this bug?
(In reply to comment #15) > It appears there are options for now for CRL content publishing: > Include expired certificates > Include certificates one extra time after their expiration > > Is this bug because these did not work, or is this a new feature to address > this bug? Including certificates in CRL for one extra time after their expiration is a new feature due to required compliance with RFCs 5280, 3280 (see comment #1).
Verified: With Include certificates one extra time after their expiration enable, first CRL update after expiration included revoked expired certificate: Certificate Revocation List: Data: Version: v2 Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5 Issuer: CN=Certificate Authority,O=redhat This Update: Thursday, June 4, 2009 9:22:58 AM EDT America/New_York Next Update: Thursday, June 4, 2009 1:00:00 PM EDT America/New_York Revoked Certificates: 1-1 of 1 Serial Number: 0xC Revocation Date: Thursday, June 4, 2009 8:57:49 AM EDT America/New_York Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: Privilege_Withdrawn Extensions: Identifier: CRL Number - 2.5.29.20 Critical: no Number: 6 Signature: Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5 Signature: 6A:96:1B:A9:EA:84:A8:65:C8:26:88:85:36:87:78:27: 82:FE:50:1A:68:51:96:27:A0:BE:8B:52:35:38:48:99: D9:A6:89:9A:D3:61:47:61:8D:9E:73:BC:75:30:2A:D2: 72:92:1E:95:52:C3:EA:8F:F9:61:E5:45:BB:F0:15:8F: 75:3C:F1:E6:CA:4A:38:ED:CF:B3:E7:A3:41:9F:F4:AA: 4A:77:55:95:BE:50:43:FA:AB:53:91:96:E9:1C:C0:EF: 26:E6:CB:91:6F:2E:69:8F:49:6E:10:CC:08:CE:E4:3D: 42:AA:91:A7:16:A6:85:1D:36:39:46:6A:CF:16:94:34: 2E:35:23:90:AF:1E:CB:AB:CD:3B:79:48:E7:DB:35:A5: A1:F2:6C:A4:6E:C2:FB:85:88:CD:8A:98:22:E1:71:20: 3A:1C:0D:0C:4E:34:47:6C:D4:47:46:D3:27:E0:22:1F: E6:02:65:DB:5D:ED:00:9D:5F:40:8D:53:D6:95:C9:D6: D2:F0:A4:51:98:77:AD:BD:51:B7:8B:35:8B:17:AB:02: 0A:0D:AF:D2:42:7B:DF:BA:5D:1F:D3:D1:64:FA:BE:43: 05:4E:23:32:9A:ED:0B:8F:67:52:7E:45:F3:8C:FF:F6: D2:E9:50:85:FE:47:5D:85:03:6B:34:09:83:8A:B7:81 Second update to CRL did not include the revoked expired certificate: Certificate Revocation List: Data: Version: v2 Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5 Issuer: CN=Certificate Authority,O=redhat This Update: Thursday, June 4, 2009 9:24:58 AM EDT America/New_York Next Update: Thursday, June 4, 2009 1:00:00 PM EDT America/New_York Revoked Certificates: 1 Signature: Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5 Signature: 2E:09:8F:79:AC:D0:AF:20:8D:23:2D:94:90:43:44:80: 08:05:D6:ED:3A:00:14:7C:00:EE:31:FC:38:15:33:AD: 5B:90:C7:0D:BF:95:5F:BF:8E:70:28:07:0A:56:DC:7F: FD:48:D8:BE:EE:DE:1F:4D:D8:A2:E0:69:15:E8:E5:C9: 8B:D6:C2:C8:A0:BF:47:6C:73:D5:32:70:BD:A3:94:98: 46:16:DB:E1:33:FF:81:53:09:66:EC:B5:0B:C5:E1:B3: E4:36:B9:CC:95:67:DE:5C:BA:30:79:D9:55:4C:FB:4D: 5B:1A:30:A2:62:58:6B:D3:9C:24:64:9E:2C:91:39:27: 9C:BF:78:B0:05:08:52:98:90:5A:80:5D:59:EC:2B:73: D1:BD:9A:41:AE:02:86:57:FB:CB:E0:4C:40:27:C4:8C: 80:40:DA:2B:55:0F:C7:FB:0D:C4:E7:78:83:51:D1:DF: A7:04:EA:C7:3C:31:A2:D4:C5:BA:81:07:AD:0D:2D:F9: 99:6E:3F:98:5B:A7:05:FC:EA:07:D1:00:31:C6:B8:60: B7:77:C9:50:9E:5F:6E:12:56:CA:E8:60:B1:32:72:B7: 13:2F:F0:8E:07:29:C5:A9:FA:03:B7:2B:0F:A0:19:85: 2F:21:E3:57:8F:6A:A6:61:08:43:78:73:6D:A2:92:35 Subsequently enable Include expired certificates and generating new CRL again included the expired revoked certificate. Certificate Revocation List: Data: Version: v2 Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5 Issuer: CN=Certificate Authority,O=redhat This Update: Thursday, June 4, 2009 9:29:24 AM EDT America/New_York Next Update: Thursday, June 4, 2009 1:00:00 PM EDT America/New_York Revoked Certificates: 1-1 of 1 Serial Number: 0xC Revocation Date: Thursday, June 4, 2009 8:57:49 AM EDT America/New_York Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: Privilege_Withdrawn Extensions: Identifier: CRL Number - 2.5.29.20 Critical: no Number: 8 Signature: Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5 Signature: 03:A1:F1:77:8B:40:85:28:43:A6:5B:BD:CE:36:6C:BC: DE:6D:36:D2:4F:5B:C6:35:1E:F5:7D:94:B3:2B:8C:E6: 6B:E0:54:3F:D8:21:16:52:AC:08:69:60:27:12:2B:79: 39:66:7F:FD:BE:EA:6B:4B:64:FA:72:72:DD:AB:CD:6B: 78:D2:BF:C1:15:99:F1:A5:D6:26:48:CF:8D:A8:3A:36: D4:F3:8C:F9:16:34:04:5C:66:27:C6:04:69:64:36:29: B4:E9:29:01:7F:C3:B5:B4:F5:D7:9C:81:91:9C:3C:43: 38:5F:7A:E5:1D:67:E1:F6:14:F8:10:67:DD:C6:95:FD: 88:F6:60:1C:C7:9B:CF:15:8C:5E:C3:2B:F1:19:E0:AA: 6B:A3:D9:1B:80:B8:3C:FB:E6:94:D5:F2:97:8F:24:87: DB:9B:B0:73:86:1B:1A:59:D4:C3:5B:49:8A:05:6B:63: BC:E1:D8:CF:6E:F3:80:2E:5E:D3:8E:6D:05:BC:D4:B1: 46:FF:E8:0C:17:6B:E0:0B:D6:00:8C:D4:23:35:94:14: 8B:66:77:48:DA:3A:A9:71:C8:E2:79:04:8B:91:91:83: 3F:0B:FC:5B:9C:3F:96:FB:DA:7F:6B:31:1A:25:F9:3A: 75:2F:2B:83:CA:53:5C:6E:62:A0:F0:BF:33:71:FD:F2