Are SSL certs auto-revoked if their Not-Valid-After date is reached without renewing?

No. Revocation is an active event, not something that passively or automatically happens. Expiration is passive, though. An expired cert is no longer valid, so there's no need to stick it in a CRL or update OCSP.

If the purpose of your checker is only to parse OCSP, then no, you don't need to check the dates on the cert, because that's not part of OCSP. If the purpose of your checker is to answer the question "is this cert valid?", then you absolutely need to check the validity dates (both start and end).

EDIT: As eckes points out, for your typical client-identification or server-identification cert (or any other kind not used for long-term signatures), once it's expired you can actually take it off revocation lists, which helps keep their size down.


You MUST check the expiration date first. You can do that locally, without creating a connection to the OCSP server and spending network resources at both your end and OCSP server's end. (And yes, I regularly deal with overloaded OCSP servers.)

And no, an expired certificate is not automatically revoked. In a lot of cases (as in dealing with timestamped signatures) it is important to know if the cert was valid at the very moment of the signature creation, even if it is expired and/or revoked right now. That's why asking the OCSP for an expired cert is a valid action by itself, but the server may answer that the cert is not revoked even if it is expired.


Think about it like this. You go to the grocery store to buy milk. Would you check for recalls on milk to see if the milk is expired? No! You'd just check the expiration date. You know it's expired by the expiration date alone. It's the same case with certificates. You should be checking the date to see if it is expired. If it has not expired then you can see if it's been revoked prematurely.

(This isn't the best metaphor because shoppers wouldn't check for recalls, but I think it helps to illustrate the point.)