aspose file tools*
The moose likes Security and the fly likes Certificate validation against CRL on Java EE - common scenario, experience? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Certificate validation against CRL on Java EE - common scenario, experience?" Watch "Certificate validation against CRL on Java EE - common scenario, experience?" New topic
Author

Certificate validation against CRL on Java EE - common scenario, experience?

Dejan Mratinkovic
Ranch Hand

Joined: Nov 20, 2008
Posts: 65
Java EE application, autentication using certificates.

How to handle revoked certificates?

Java out of box supports CRL (Certificate Revocation List), and it all works fine when I test it against static CRL file.

What is most common scenario of maintenance of CRL and validation of certificates in real life Java EE application, when application is under cluster?

Autentication with Certificates does not make any sense if there is no validation against OCSP or CRL. So, the even most simple scenario should include check if certificate is revoked.

But yet, I could not find any developer experience on this, on Web or books. OCSP and Dynamic CRL might work just fine, but there should be reliable alternative in case evocation status can not be obtained dynamically, some kid of locally stored copy of CRL.

1)How often to update CRL list, but not to affect system performance (Using some kind of Cron job)?
2)Where to store it?
Easiest solution would be on storing CRL file system, but I don't like Java EE applications writing to file system. More over, clustered environment would introduce additional issues.

Alternatively, this could be stored to DB, but it introduces complexity, and possible affects performance in multy-user environment.

Is there anyone with system using Certifcate authentication on Jave EE application, with validation against OCSP/CRL with experience to share?

Thanks.

Haroon Mahmood
Greenhorn

Joined: Apr 01, 2008
Posts: 2
Hello Dear
I need a program which checks the validity of a certificate by checking CRL?? I am new to java So if you can help me in this regards. I will be thankful to you.

Thanks
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Certificate validation against CRL on Java EE - common scenario, experience?