Digital certificates are an important part of network security. Digital certificates provide two main functions. First, digital certificates provide a way for an entity to prove ownership of a public key. Second, digital certificates provide a way for a network entity such as a client, service, or network application, to prove the entity's identity. Certificate Authorities (“CAs”) play an important role by validating the identity of entities that request digital certificates, and by issuing digital certificates to entities that the Certificate Authority (“CA”) has validated. When a certificate authority issues a digital certificate, the certificate authority signs the digital certificate using a private key belonging to the certificate authority. A network client can verify the identity of a network service by requesting the digital certificate belonging to the network service. If the digital certificate provided by the network service is signed by the certificate authority, and the network client is configured to trust the certificate authority, the network client can verify the signatures on the digital certificate to confirm the identity of the network service.
In addition, the digital certificate may include validity range and various extended use fields that modify or otherwise restrict the usage of the digital certificate. For CAs and network services managing and updating this information is difficult. For example, when a digital certificate expires (e.g., is currently outside of the validity range assigned to the digital certificate), an administrator or other entity of the network service must obtain a new digital certificate from a CA, remove the expired certificate from a plurality of computer systems providing the network service, and install the new digital certificate on the plurality of computer systems providing the network service. In addition, the CAs must maintain a Certificate Revocation List (CRL), which is a list of digital certificates that have been revoked by an entity (e.g., the issuing CA) before the digital certificates scheduled expiration date and should no longer be trusted. In many situations the CRL is large and difficult for both the CA and network services to manage. Furthermore, revoked digital certificates must remain on the CRL until after the expiration of the validity range to ensure that the digital certificates are not trusted.