§Configuring Certificate Revocation

Certificate Revocation in JSSE can be done through two means: certificate revocation lists (CRLs) and OCSP.

Certificate Revocation can be very useful in situations where a server’s private keys are compromised, as in the case of Heartbleed.

Certificate Revocation is disabled by default in JSSE. It is defined in two places:

To enable OCSP, you must set the following system properties on the command line:


After doing the above, you can enable certificate revocation in the client: = true

Setting checkRevocation will set the internal ocsp.enable security property automatically:"ocsp.enable", "true")

And this will set OCSP checking when making HTTPS requests.

Note: Enabling OCSP requires a round trip to the OCSP responder. This adds a notable overhead on HTTPS calls, and can make calls up to 33% slower. The mitigation technique, OCSP stapling, is not supported in JSSE.

Or, if you wish to use a static CRL list, you can define a list of URLs: = [ "" ]


To test certificate revocation is enabled, set the following options: = {
 certpath = true
 ocsp = true

And you should see something like the following output:

certpath: -Using checker7 ... []
certpath: connecting to OCSP service at:
certpath: OCSP response status: SUCCESSFUL
certpath: OCSP response type: basic
certpath: Responder's name: CN=GeoTrust SSL CA - G2 OCSP Responder, O=GeoTrust Inc., C=US
certpath: OCSP response produced at: Wed Mar 19 13:57:32 PDT 2014
certpath: OCSP number of SingleResponses: 1
certpath: OCSP response cert #1: CN=GeoTrust SSL CA - G2 OCSP Responder, O=GeoTrust Inc., C=US
certpath: Status of certificate (with serial number 159761413677206476752317239691621661939) is: GOOD
certpath: Responder's certificate includes the extension id-pkix-ocsp-nocheck.
certpath: OCSP response is signed by an Authorized Responder
certpath: Verified signature of OCSP Response
certpath: Response's validity interval is from Wed Mar 19 13:57:32 PDT 2014 until Wed Mar 26 13:57:32 PDT 2014
certpath: -checker7 validation succeeded

§Further Reading

Next: Configuring Hostname Verification

Found an error in this documentation? The source code for this page can be found here. After reading the documentation guidelines, please feel free to contribute a pull request.