Cisco Certified Internetwork Expert (CCIE) Practice Test

What are certificate-based ACLs configured to do regarding expired certificates?

• A. They strictly disallow expired certificates
• B. They can allow expired certificates if the peer is valid
• C. They require a new certificate to be issued before connection
• D. They need to have a CRL to function correctly

The correct answer is: They can allow expired certificates if the peer is valid

When considering how certificate-based Access Control Lists (ACLs) handle expired certificates, the correct approach reflects an understanding of flexibility in security protocols. While it is ideal for certificates to be valid and current, certificate-based ACLs can allow connections with expired certificates if the peer presenting the certificate is deemed valid through other checks. This means that, under certain conditions, the system can still authenticate the peer based on criteria outside the expiration of the certificate itself. The reasoning behind allowing expired certificates as long as the peer is valid recognizes real-world scenarios where certificates may not be updated immediately, but the underlying trust in the peer's identity remains solid based on alternative validation aspects. In contrast, a more stringent approach would typically call for strict enforcement of certificate validity, which doesn't account for potential scenarios where expired certificates are temporarily acceptable in trusted environments. The choices highlighting a requirement for immediate renewal of certificates or the necessity of having a Certificate Revocation List (CRL) tend to imply stricter operational standards, which do not capture the inherent flexibility present in many implementations of certificate-based ACLs.