问题
Is it possible to check any X509 Certificate if it is revoked or not? Actually, I made a Java application that just gets a regular https link and outputs the X509 certificate. I want to add a service in my application that check if this certificate has been revoked or not?
Is there a tutorial or a simple code to start with that can guide me to do that.
Thank you in advance
回答1:
Yes, of course the revocation status can be checked. If you want to do this "by hand", you need to extract the corresponding information from the certificate extensions, then retrieve the CRL or send the OCSP request.
But this is a very complex method, because it involves validation of signatures and certificates of the CRL and of the OCSP response.
Simpler ways are to use some existing mechanism. The answers ( https://stackoverflow.com/a/8507905/47961 and https://stackoverflow.com/a/10068006/47961) seem to provide some links and solutions.
If you need more control, BouncyCastle seems to have some validation mechanisms. Our SecureBlackbox offers powerful and flexible certificate validator as well (and it includes OCSP and CRL checks).
来源:https://stackoverflow.com/questions/21637708/checking-a-x509-certificate-revocation