This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Security and the fly likes OCSP Validation , x.509 Certificate Validation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "OCSP Validation , x.509 Certificate Validation " Watch "OCSP Validation , x.509 Certificate Validation " New topic

OCSP Validation , x.509 Certificate Validation

lakmal indika

Joined: Oct 25, 2012
Posts: 1
Hi All, I'm trying to validate a X.509 certificate using java. But it always gives a error "Validation failure, cert Responder's certificate is not authorized to sign OCSP responses", I also added certificate to windows certificate store. any clue to resolve this ?

=========================Code ===========================================================
import java.util.*;

public class OCSPCheck {
private static final String TEST_RESPONDER_URL = "";
// private static final String TEST_RESPONDER_URL = "";
public static void main(String [] args){
try {

// X509Certificate caCert = readCert("TDCOCESSTEST2.cer");
// X509Certificate clientCert = readCert("PIDTestBruger2.cer");
// CA Certificate
X509Certificate caCert = readCert("F:
4 Development\\X509Validation\\src
// Client Cerificate
X509Certificate clientCert = readCert("F:
4 Development\\X509Validation\\src
List certList = new Vector();
validateCertPath(certList, caCert, TEST_RESPONDER_URL);
} catch (Exception e){
private static void validateCertPath(List certList, X509Certificate trustedCert, String responderUrl) {
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
CertPath cp = cf.generateCertPath(certList);
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");

// Set the Trust anchor
TrustAnchor anchor = new TrustAnchor(trustedCert, null);
//System.out.println(anchor.toString() + "CA NAME");
}catch(Exception e)
PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
Security.setProperty("ocsp.enable", "true");
Security.setProperty("ocsp.responderURL", responderUrl);
//Security.setProperty("ocsp.responderURL", responderUrl);

// Validate and obtain results
try {
PKIXCertPathValidatorResult result =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);
PolicyNode policyTree = result.getPolicyTree();
PublicKey subjectPublicKey = result.getPublicKey();

System.out.println("Query Result ");
System.out.println("Policy Tree:\n" + policyTree);
System.out.println("Subject Public key:\n" + subjectPublicKey);
} catch (Exception cpve) {
System.out.println("Validation failure, cert :"
+ cpve.toString());
// } catch (CertPathValidatorException cpve) {
// System.out.println("Validation failure, cert["
// + cpve.getIndex() + "] :" + cpve.getMessage() + " " + cpve.toString());
// }

} catch (Exception e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
private static X509Certificate readCert(String fileName) throws FileNotFoundException, CertificateException {
InputStream is = new FileInputStream(fileName);
BufferedInputStream bis = new BufferedInputStream(is);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
return cert;

Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035

Cross posted to
Henry Wong

Joined: Sep 28, 2004
Posts: 18546

Please note that JavaRanch actually allows crossposting to other sites...

However, we do require that you be forthright about it. Crossposting tends to waste ranchers time and effort, so please be honest about it.


Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)
I agree. Here's the link:
subject: OCSP Validation , x.509 Certificate Validation
Similar Threads
sequence wrong size for a certificate
Help with OCSP Stand Alone Implementation
how to generate x.509 certificate?
Help with conversion of String to x509Certificate