If you remove expired certificates from the CRL, then CRL consumers have no way of knowing whether a certificate was revoked before it expired, and thus no way of knowing whether a timestamped signature made with the corresponding key is valid. This is a complex issue, because CRL bloat is a real problem. (That's why we have delta CRLs in the first place.) There's a CRL extension (expiredCertsOnCRL) that should be used if the CRL includes expired certificates. I've seen a number of discussions on this topic, in such places as the IETF PKIX list. See for example this thread: https://www.ietf.org/mail-archive/web/pkix/current/msg03776.html It seems to be difficult to find relevant material with simple web searches, though. The search terms are too common. I'm sure there are other people on the list who know more about current practices in this area than I do. Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users