When a certificate is created, it is stamped with Valid From and Valid To dates. The interim period between these dates is the cycle of time the certificate and key pairs are valid. Once a certificate’s validity period has expired, it must be either renewed or destroyed.
Certification Revocation List: The X.509 standard mandates CAs to publish CRLs. The basic information contained in a CRL is the revocation status of certificates that the CA manages. There are several variations of a revocation list:
- A simple CRL is a container that holds the list of revoked certificates. A simple CRL contains the name of the CA, the time and date the CRL was published, and when the next CRL will be published. A simple CRL is a single file that continues to grow over time. The fact that only information about the certificate is included and not the certificate itself controls the size of a simple CRL container.
- Delta CRLs were created to handle the issue that simple CRLs cannot—size and distribution. Although a simple CRL only contains certain information about the revoked certificate, it can still become a large file. In a Delta CRL configuration, a base CRL is sent out to all end parties to initialize their copies of the CRL. After the base CRL is sent out, updates known as deltas are sent out on a periodic basis to inform the end parties of changes.
