Validate X509 certificates using Java APis

Question

I am trying to validate a certificate against java key store and this is the code I am using is as below. If it completes succesfully then I assume the validation has gone t

Answer 1

Normally, a certificate will be issued by an intermediate issuing authority, not a "root" authority (which is all that should be in your trust store). Most protocols encourage sending a "chain" of certificates, not just the entity's certificate.

You should add all of the intermediate certs so that a complete chain can be formed.

In order to be certain that the certificate is still valid, you should not disable revocation checks. If you don't want to retrieve a CRL (which can be large), the issuer may offer OCSP support. But, this has to be enabled in the Java runtime by setting certain system properties.

If the path validator returns successfully, you don't need to check anything else. If the certificate is not valid, an exception will be raised.

Also, an explicit check on the validity date is unnecessary. This occurs during validation (using the current time, unless you specify a time via the PKIXParameters).

---

For a more extensive discussion of validation, including sample code, see a previous answer of mine.