Remove expired origin SSL certs without revoking?

Hello there. My question is so simple - how I can remove expired origin server certificates without adding them in Cloudflare CRL lists by press “revoke” button? Those lists already large enough for almost any of Mikrotik hardware, how I can avoid to grow them at least by myself?

1 Like

I am afraid your question is not simple :slight_smile:

What do you want to delete? If you want to delete an Origin certificate from Cloudflare’s control panel, you need to click that button. That will also revoke the certificate.

But that list has no relation to any hardware and if you want to remove the certificate from your hardware, then that’s something you need configure there, not on Cloudflare.

I describe more - I want to remove my expired certificate from panel but without adding it to certificate revocation lists because it’s already expired. Is it possible or expired certificate added to revoked certificate lists anyway?

You don’t really have control over when a certificate gets added to a list, but it should really matter anyhow. Especially, because Origin certificates won’t be on any public list anyhow, as they are only handled by the proxies.

So if you want to remove a certificate from your list, just delete it and don’t bother with any revocation lists.

Them are already use public CRL lists placed directly at origin server certificates and those lists are really huge. Of course I can just skip to use CRL where it make a trouble but it equals to skip one security step.

I try to add link to CRL lists from certificate but forum restrict me for this :worried:

Returning to my question - can I somehow reduce growing this CRL list from myself certificates except just don’t create them or create less of them?

I am afraid I am not quite sure what you are saying. Once more, Origin certificates are not part of any public CT, as they are solely privately handled certificates.

As for your question, that’s rather something for StackExchange or Reddit, as it is not Cloudflare related.

But again, you revoking a certificate really should not bother you, as there’ll be X certificates revoked every day and you cannot control that.

Of course those certificates not a part of public CA but them use CRL lists builtin directly to origin server certificates and those lists need more than 2G of RAM to be unpacked and processed. It make those CRL almost unusable at embedded systems like medium routers or etc.

You can discover your own certificate for link to CRL list. I just download it and this list has 143 Megabytes (!) of revoked origin server certificates.

I understand that this list can’t be downgraded so easy but maybe I can avoid to grow it by myself.

Sorry, but this is not a grammatically correct sentence. I am not quite sure what you are trying to say.

Again, which CRL are you talking about?

And again again, if you need to reduce a CRL, that’s up to you, certificate authorities will provide what they provide. Maybe your software can optimise these lists, but that’s a topic that beyond the scope of the forum here.

Are you talking about http://crl.cloudflare.com/origin_ca.crl?

Fair enough, that’s Cloudflare’s list of revoked certificates all right, how you handle that really is up to you, if you have memory constraints, you might not want to use it all, also because it won’t be relevant to you anyhow.

1 Like

Yes, this is actually what I talking about.

So, just this way. Okay, thanks for your attention, I keep calm with it :upside_down_face:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.