Can’t find the best way to deal with revoked certificates? An expert could help!

Subscribers click here.

Security Resources

Issue Tracker - Security

Need more help? Learn about
Oracle Java Support subscriptions

Revoked Certificates


Introduction

An X.509 certificate may be revoked by its issuing certificate authority (CA), rendering it invalid before its expiry date. The revocation status of a certificate must be verified before it can be trusted. The two main methods for doing so are Certificate Revocation Lists and the Online Certificate Status Protocol.


Certificate Revocation Lists

A Certificate Revocation List (CRL) is a time-stamped list identifying revoked certificates. It is signed by a CA and made freely available in a public repository. Each revoked certificate is identified in a CRL by its certificate serial number.

An application receiving a certificate gets the CRL from a CRL server and checks if the certificate received is on the list.

There are two main disadvantages with CRLs. First, they can become very large, leading to a lot of network traffic. Second, many of them are created with longer validity periods, which increases the possibility of a certificate being revoked within that validity period and not showing up until the next CRL refresh.

CRLs are discussed further in the section ‘Java PKI Programmer’s Guide’ in Java Platform, Standard Edition Security Developer’s Guide:


Online Certificate Status Protocol

The Online Certificate Status Protocol (OCSP) is used to determine the revocation status of an X.509 certificate during a TLS handshake. It is disabled by default in the JDK.

In client-driven OCSP, the client uses OCSP to contact an OCSP responder to check the certificate’s revocation status. To enable client-driven OCSP revocation checking:

  • Set the system property com.sun.net.ssl.checkRevocation to true or use the setRevocationEnabled method on PKIXParameters
  • Set the security property ocsp.enable to true

OCSP stapling enables the server, rather than the client, to make the request to the OCSP responder. The server staples the OCSP response to the certificate and returns it to the client during the TLS handshake. It can be enabled on the server via the jdk.tls.server.enableStatusRequestExtension system property.

OCSP is discussed further in the section ‘Java Secure Socket Extension (JSSE) Reference Guides’ included in Java Platform, Standard Edition Security Developer’s Guide:


Last reviewed on Sat Feb 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time)