Documentation

You are viewing the documentation for the 2.3.2 release in the 2.3.x series of releases. The latest stable release series is 3.0.x.

§Configuring Certificate Revocation

Certificate Revocation in JSSE can be done through two means: certificate revocation lists (CRLs) and OCSP.

Certificate Revocation can be very useful in situations where a server’s private keys are compromised, as in the case of Heartbleed.

Certificate Revocation is disabled by default in JSSE. It is defined in two places:

To enable OCSP, you must set the following system properties on the command line:

java -Dcom.sun.security.enableCRLDP=true -Dcom.sun.net.ssl.checkRevocation=true

After doing the above, you can enable certificate revocation in the client:

ws.ssl.checkRevocation = true

Setting checkRevocation will set the internal ocsp.enable security property automatically:

java.security.Security.setProperty("ocsp.enable", "true")

And this will set OCSP checking when making HTTPS requests.

NOTE: Enabling OCSP requires a round trip to the OCSP responder. This adds a notable overhead on HTTPS calls, and can make calls up to 33% slower. The mitigation technique, OCSP stapling, is not supported in JSSE.

Or, if you wish to use a static CRL list, you can define a list of URLs:

ws.ssl.revocationLists = [ "http://example.com/crl" ]

§Debugging

To test certificate revocation is enabled, set the following options:

ws.ssl.debug = [ "certpath", "ocsp" ]

And you should see something like the following output:

certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: connecting to OCSP service at: http://gtssl2-ocsp.geotrust.com
certpath: OCSP response status: SUCCESSFUL
certpath: OCSP response type: basic
certpath: Responder's name: CN=GeoTrust SSL CA - G2 OCSP Responder, O=GeoTrust Inc., C=US
certpath: OCSP response produced at: Wed Mar 19 13:57:32 PDT 2014
certpath: OCSP number of SingleResponses: 1
certpath: OCSP response cert #1: CN=GeoTrust SSL CA - G2 OCSP Responder, O=GeoTrust Inc., C=US
certpath: Status of certificate (with serial number 159761413677206476752317239691621661939) is: GOOD
certpath: Responder's certificate includes the extension id-pkix-ocsp-nocheck.
certpath: OCSP response is signed by an Authorized Responder
certpath: Verified signature of OCSP Response
certpath: Response's validity interval is from Wed Mar 19 13:57:32 PDT 2014 until Wed Mar 26 13:57:32 PDT 2014
certpath: -checker7 validation succeeded

§Further Reading

Next: Configuring Hostname Verification