Hi Gregory, > -----Original Message----- > From: Gregory Sloop
[snip] > So, I thought - why should I set the default_crl_days to some low > number. I assume that it [the CRL] can be replaced with a "new" CRL, > should we need one, long before the default_crl_days limit is reached. > Is that correct? Yes, this is correct. > So, if that's the case, what would be the downside of making the > default_crl_days equal to the validity of the CA itself, for example? > [e.g. If the CA cert is valid for 100 years, why not set the > default_crl_days to 36500+/- days too?] Every certificate that is revoked after the crl's issuance is naturally not contained in it. So a client querying a crl for a certificate's revocation status will falsely accept every certificate that was revoked after the crl's issuance. The longer your crl is valid, the more revoked certificates will slip through the check. Plus, the client has no need to update the crl as long as it is valid. This problem is inherent to crls. As such, you want to make your crls as short running as possible and usable in your environment. HTH, Patrick Eisenacher