This is a compliance issue for eIDAS TSPs. ETSI EN 319 411-2 and -1
319 411-2: CSS-6.3.10-07
CRLs are provided and the TSP decides or is required to terminate a CRL, the TSP should issue and publish at the corresponding CRL Distribution Point a last CRL with a nextUpdate field value as defined in ETSI EN 319 411-1 , clause 6.3.9. Requirement CSS-6.3.9-06.
Today we can set CRL Period really high, but it will not stop at 99991231235959Z, but produce larger dates (displayed as invalid date in "openssl crl").
The easy fix is to put a check in CRL generation, if the nextUpdate is calculated to be >99991231235959Z, set it to 99991231235959Z. Then setting CRL period to 9999y (for example) will create this CRL.
- modify CRL generation in X509CAImpl
- make JUnit test to verify both normal and final CRL period
- update documentation (which is reached by clicking the ? for the CRL Period Edit CA setting