Java EE application, autentication using certificates.
How to handle revoked certificates?
Java out of box supports CRL (Certificate Revocation List), and it all works fine when I test it against static CRL file.
What is most common scenario of maintenance of CRL and validation of certificates in real life Java EE application, when application is under cluster?
Autentication with Certificates does not make any sense if there is no validation against OCSP or CRL. So, the even most simple scenario should include check if certificate is revoked.
But yet, I could not find any developer experience on this, on Web or books. OCSP and Dynamic CRL might work just fine, but there should be reliable alternative in case evocation status can not be obtained dynamically, some kid of locally stored copy of CRL.
1)How often to update CRL list, but not to affect system performance (Using some kind of Cron job)?
2)Where to store it?
Easiest solution would be on storing CRL file system, but I don't like Java EE applications writing to file system. More over, clustered environment would introduce additional issues.
Alternatively, this could be stored to DB, but it introduces complexity, and possible affects performance in multy-user environment.
Is there anyone with system using Certifcate authentication on Jave EE application, with validation against OCSP/CRL with experience to share?