1

We have a distributed jms application that runs with spring-boot on oracle-linux machines. For security considerations we need to sign and verify messages. We did do it by using camel-xmlsecurity with a self-signed certificate but security rules force us to use a CA, instead. So we need to provide Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) for the application.

It looks like CRL and OCSP support are provided usually by a third-party application like Microsoft Exchange Server in Windows and openssl in Linux, but I guess it should be possible in java native code level or probably by camel.

Where and how I can implement CRL and OCSP?

faghani
  • 569
  • 1
  • 10
  • 25
  • You can use openssl to build your certificates, CRLs an launch an OCSP responder. You can also do it with java using bouncycastle library, but it is a low level library, and build each part of the PKI you need requires a considerable amount of programming effort. I'm afraid that it is too broad for this question. – pedrofb Apr 22 '19 at 19:16
  • @pedrob I'm new to `PKI` concepts and I think my question was misleading. I don't want to launch a `CA`, there is already one that serves our company. We (as server) and our clients will receive certs from the CA for the kick, then in the application we need to check validity of the received certs from our clients by using `CRL` and/or `OCSP` for each message. I found [a piece of code](https://stackoverflow.com/questions/38301283/java-ssl-certificate-revocation-checking/38523104#38523104) for doing so but am curious to know that if it is also possible by using a library like `bouncycastle`? – faghani Apr 27 '19 at 06:44
  • I got the concept, summarizing you want to validate the revocation of a certificate. From Java8 you can use PKIXRevocationChecker. The bouncycastle library also allows you to perform the validation step by step: 1) extract the revocation URLs (OCSP and / or CRL) from the certificate, 2) validate the certificate using the CRL or 3) make an OCSP request to the server 4) verify the answer (CRL/OCSP), including its digital signature – pedrofb Apr 29 '19 at 08:04

0 Answers0