2

Is it possible to check any X509 Certificate if it is revoked or not? Actually, I made a Java application that just gets a regular https link and outputs the X509 certificate. I want to add a service in my application that check if this certificate has been revoked or not?

Is there a tutorial or a simple code to start with that can guide me to do that.

Thank you in advance

Mike
  • 33
  • 3
  • 7
  • http://stackoverflow.com/questions/5161504/ocsp-revocation-on-client-certificate possibly and if that's not it start reading http://en.wikipedia.org/wiki/Certificate_revocation_list and implement it. – zapl Feb 07 '14 at 21:09

1 Answers1

2

Yes, of course the revocation status can be checked. If you want to do this "by hand", you need to extract the corresponding information from the certificate extensions, then retrieve the CRL or send the OCSP request.

But this is a very complex method, because it involves validation of signatures and certificates of the CRL and of the OCSP response.

Simpler ways are to use some existing mechanism. The answers ( https://stackoverflow.com/a/8507905/47961 and https://stackoverflow.com/a/10068006/47961) seem to provide some links and solutions.

If you need more control, BouncyCastle seems to have some validation mechanisms. Our SecureBlackbox offers powerful and flexible certificate validator as well (and it includes OCSP and CRL checks).

Community
  • 1
  • 1
Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121