Configuring Certificate Revocation

Certificate Revocation in JSSE can be done through two means: certificate revocation lists (CRLs) and OCSP.

Certificate Revocation can be very useful in situations where a server’s private keys are compromised, as in the case of Heartbleed.

Certificate Revocation is disabled by default in JSSE. It is defined in two places:

To enable OCSP, you must set the following system properties on the command line:

java -Dcom.sun.security.enableCRLDP=true -Dcom.sun.net.ssl.checkRevocation=true

After doing the above, you can enable certificate revocation in the client:

ssl-config.checkRevocation = true

Setting checkRevocation will set the internal ocsp.enable security property automatically:

java.security.Security.setProperty("ocsp.enable", "true")

And this will set OCSP checking when making HTTPS requests.

Note

Enabling OCSP requires a round trip to the OCSP responder. This adds a notable overhead on HTTPS calls, and can make calls up to 33% slower. The mitigation technique, OCSP stapling, is not supported in JSSE.

Or, if you wish to use a static CRL list, you can define a list of URLs:

ssl-config.revocationLists = [ "http://example.com/crl" ]

Further Reading