diff --git a/atst/domain/authnid/__init__.py b/atst/domain/authnid/__init__.py
index fab6e722..25c04a5d 100644
--- a/atst/domain/authnid/__init__.py
+++ b/atst/domain/authnid/__init__.py
@@ -1,7 +1,7 @@
 from atst.domain.exceptions import UnauthenticatedError, NotFoundError
 from atst.domain.users import Users
 from .utils import parse_sdn, email_from_certificate
-from .crl import CRLRevocationException
+from .crl import CRLRevocationException, CRLInvalidException
 
 
 class AuthenticationContext:
@@ -47,6 +47,8 @@ class AuthenticationContext:
     def _crl_check(self):
         try:
             self.crl_cache.crl_check(self.cert)
+        except CRLInvalidException as exc:
+            raise UnauthenticatedError("CRL expired. " + str(exc))
         except CRLRevocationException as exc:
             raise UnauthenticatedError("CRL check failed. " + str(exc))
 
diff --git a/tests/domain/authnid/test_authentication_context.py b/tests/domain/authnid/test_authentication_context.py
index 1ca967c3..820f7028 100644
--- a/tests/domain/authnid/test_authentication_context.py
+++ b/tests/domain/authnid/test_authentication_context.py
@@ -1,7 +1,11 @@
 import pytest
 
 from atst.domain.authnid import AuthenticationContext
-from atst.domain.authnid.crl import CRLCache, CRLRevocationException
+from atst.domain.authnid.crl import (
+    CRLCache,
+    CRLRevocationException,
+    CRLInvalidException,
+)
 from atst.domain.exceptions import UnauthenticatedError, NotFoundError
 from atst.domain.users import Users
 
@@ -12,12 +16,15 @@ CERT = open("tests/fixtures/{}.crt".format(FIXTURE_EMAIL_ADDRESS)).read()
 
 
 class MockCRLCache:
-    def __init__(self, valid=True):
+    def __init__(self, valid=True, expired=False):
         self.valid = valid
+        self.expired = expired
 
     def crl_check(self, cert):
         if self.valid:
             return True
+        elif self.expired == True:
+            raise CRLInvalidException()
 
         raise CRLRevocationException()
 
@@ -45,6 +52,17 @@ def test_crl_check_fails():
     assert "CRL check" in message
 
 
+def test_expired_crl_check_fails():
+    auth_context = AuthenticationContext(
+        MockCRLCache(valid=False, expired=True), "SUCCESS", DOD_SDN, CERT
+    )
+    with pytest.raises(UnauthenticatedError) as excinfo:
+        assert auth_context.authenticate()
+
+    (message,) = excinfo.value.args
+    assert "CRL expired" in message
+
+
 def test_bad_sdn():
     auth_context = AuthenticationContext(MockCRLCache(), "SUCCESS", "abc123", CERT)
     with pytest.raises(UnauthenticatedError) as excinfo:
diff --git a/tests/domain/authnid/test_crl.py b/tests/domain/authnid/test_crl.py
index c51e9a2a..6e9800a5 100644
--- a/tests/domain/authnid/test_crl.py
+++ b/tests/domain/authnid/test_crl.py
@@ -188,7 +188,7 @@ def test_can_dynamically_update_crls(tmpdir):
     assert cache.crl_check(cert)
     # override the original CRL with one that revokes atat.mil.crt
     shutil.copyfile("tests/fixtures/test.der.crl", crl_file)
-    with pytest.raises(CRLRevocationException):
+    with pytest.raises(CRLInvalidException):
         assert cache.crl_check(cert)
 
 
@@ -197,7 +197,7 @@ def test_throws_error_for_missing_issuer():
     # this cert is self-signed, and so the application does not have a
     # corresponding CRL for it
     cert = open("tests/fixtures/{}.crt".format(FIXTURE_EMAIL_ADDRESS), "rb").read()
-    with pytest.raises(CRLRevocationException) as exc:
+    with pytest.raises(CRLInvalidException) as exc:
         assert cache.crl_check(cert)
     (message,) = exc.value.args
     # objects that the issuer is missing