One of our experts can figure out the correct certificate configuration for your system.

Subscribers click here.

Security Resources

Issue Tracker - Security

Need more help? Learn about
Oracle Java Support subscriptions

Revoked Certificates in Truststores Such as the cacerts Keystore or JSSE Truststore


Applies To

Java SE JDK and JRE - Version 8 and later Any platform


Symptoms

The Online Certificate Status Protocol (OCSP) revocation check is not happening during the handshake mechanism, which is determined by the X.509 certificate revocation status during the Transport Layer Security (TLS) handshake. This leads to the connection being established without performing validation for a revoked certificate.

See the JDK 8 Client-Driven OCSP and OCSP Stapling documentation. Note: This documentation may be change for newer versions. Please check your version’s documentation.


Cause

This is due to an incorrect configuration, with the truststore holding the revoked certificate(s).

The client declares certificate(s) in the truststore are trusted. Therefore, the client will not perform revocation validation for any certificate(s) in the truststore. Meaning, it will not send an OCSP request to the OCSP responder for those certificates.

The common practice is any certificates (not just revoked certificates) in the truststore will be generally ignored for validation.


Solution

Remove the revoked certificate from the trust store.


Last reviewed on Sat Feb 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time)