Are SSL certs auto-revoked if their Not-Valid-After date is reached without renewing?

No. Revocation is an active event, not something that passively or automatically happens. Expiration is passive, though. An expired cert is no longer valid, so there's no need to stick it in a CRL or update OCSP.

If the purpose of your checker is only to parse OCSP, then no, you don't need to check the dates on the cert, because that's not part of OCSP. If the purpose of your checker is to answer the question "is this cert valid?", then you absolutely need to check the validity dates (both start and end).

EDIT: As eckes points out, for your typical client-identification or server-identification cert (or any other kind not used for long-term signatures), once it's expired you can actually take it off revocation lists, which helps keep their size down.


You MUST check the expiration date first. You can do that locally, without creating a connection to the OCSP server and spending network resources at both your end and OCSP server's end. (And yes, I regularly deal with overloaded OCSP servers.)

And no, an expired certificate is not automatically revoked. In a lot of cases (as in dealing with timestamped signatures) it is important to know if the cert was valid at the very moment of the signature creation, even if it is expired and/or revoked right now. That's why asking the OCSP for an expired cert is a valid action by itself, but the server may answer that the cert is not revoked even if it is expired.


Think about it like this. You go to the grocery store to buy milk. Would you check for recalls on milk to see if the milk is expired? No! You'd just check the expiration date. You know it's expired by the expiration date alone. It's the same case with certificates. You should be checking the date to see if it is expired. If it has not expired then you can see if it's been revoked prematurely.

(This isn't the best metaphor because shoppers wouldn't check for recalls, but I think it helps to illustrate the point.)

Tags:

Certificate Revocation

Certificates

X.509

Ocsp

Related

If malware does not run in a VM why not make everything a VM? Does phishing include ransomware? How can you bind a public key to a certificate if the public key depends on the choice of algorithms? How does having a custom root certificate installed from school or work cause one to be monitored? Could receiving a URL link, not clicking on it, ever pose a security problem? Trojan "Win32/Tnega!MSR" found by Windows Defender - aliases used by other antiviruses? How do hackers trick frontend validation? Qualys SSL Scan weak cipher suites which are secure according to ciphersuite.info How does one take advantage of unencrypted traffic? Why do password requirements exist while limiting the upper character count? Is there any hope of getting my pictures back after an iPhone factory reset some day in the future? Security implications of granting non-root access to privileged ports (<1024)

Recent Posts