Certificate upload to PAM failed with "CRL has expired" error

Document ID : KB000100114
Last Modified Date : 05/06/2018
Show Technical Document Details
Issue:
I have uploaded (imported) the root and intermediate certificates and CRL (Certificate Revocation List) files to PAM. However, when I tried to upload the Server Certificate I always get "CRL has expired" error message.

"CRL has expired" error when uploading Server Certificate
Environment:
2.8.3
Cause:
This error is due to wrong format of CRL (Certification Revocation List) file. You need to convert the CRL file from DER (binary) to PEM (ASCII Base64) format and re-upload.
Resolution:
Here are the steps how you can convert the CRL file format from DER to PEM and re-upload.

1. Open your CRL file using a Text Editor and check if it is binary or ASCII format. If you CRL file is ASCII format you should see the following as the top line. If no then your CRL file is DER format. If your CRL file is DER format then go to next step.

 -----BEGIN X509 CRL-----

2. Install OpenSSL on your machine and run the following command to convert.
      openssl crl -in abc.crl -inform DER -out abc_pem.crl
    In above example command the original abc.crl is the CRL file in DER format. The command output will be abc_pem.crl which is PEM format.

3. Now, you can go to Config > Security > Upload Certificate or Private Key, select Certificate Revocation List as Type and upload the converted abc_pem.crl (PEM format) to PAM and delete the previously uploaded abc.crl (DER) format if it had been uploaded.

4. And then you can upload the Server Certificate again.
 
Additional Information:
Please refer to CA PAM Certificates Configuration online documentation too