OCSP Revocation on client certificate

java security tomcat x509certificate ocsp
gtrak picture gtrak · Mar 2, 2011 · Viewed 20.1k times · Source

How do I manually check for certificate revocation status in java using OCSP, given just a client's java.security.cert.X509Certificate? I can't see a clear way to do it.

Alternatively, can I make tomcat do it for me automatically, and how do you know your solution to be true?

Answer

gtrak picture gtrak · Mar 9, 2011

I found a most excellent solution:

http://www.docjar.com/html/api/sun/security/provider/certpath/OCSP.java.html

        /**
   54    * This is a class that checks the revocation status of a certificate(s) using
   55    * OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of
   56    * the CertPathValidator framework. It is useful when you want to
   57    * just check the revocation status of a certificate, and you don't want to
   58    * incur the overhead of validating all of the certificates in the
   59    * associated certificate chain.
   60    *
   61    * @author Sean Mullan
   62    */

It has a method check(X509Certificate clientCert, X509Certificate issuerCert) that does the trick!

Related questions

Using Apache httpclient for https

I have enabled https in tomcat and have a self-signed certificate for server auth. I have created an http client using Apache httpClient. I have set a trust manager loading the server certificate. The http client can connect with server …

Read More
Imported certificate to Java keystore, JVM ignores the new cert

I'm trying to get an application running on top of Tomcat 6 to connect to an LDAP server over SSL. I imported certificate of the server to keystore using: C:\Program Files\Java\jdk1.6.0_32\jre\lib\security>keytool -importcert -trustcacerts …

Read More
Forcing Tomcat to use secure JSESSIONID cookie over http

Is there a way to configure Tomcat 7 to create JSESSIONID cookie with a secure flag in all occasions? Usual configuration results in Tomcat flagging session cookie with secure flag only if connection is made through https. However in my production …

Read More