Managing certificate revocation

The toolkit can use CRL revocation checking, online certificate status protocol (OCSP) revocation, or both methods based on a pre-configured revocation configuration.

Initializing the revocation settings

Create an object for revocation configuration.

UserRevocationInfo revinfo = new UserRevocationInfo();

Enabling the trust cache

Optionally, set the number of seconds a certificate is considered valid.

revinfo.setTrustCacheInterval(900);

Initializing the OCSP settings

Add an object for OCSP-specific parameters.

OCSPConfiguration ocspconfig1 = new OCSPConfiguration();
revinfo.addOCSPConfiguration(ocspconfig1);

Add a group of OCSP responders.

OCSPConfiguration ocspconfig2 = new OCSPConfiguration();
ocspconfig2.setURLLocation(new URL("http://responder2.location.com:80"));
ocspconfig2.addCADN(new Name("o=responder2,c=ca"));
OCSPConfiguration ocspconfig3 = new OCSPConfiguration();
ocspconfig3.setURLLocation(new URL("http://responder3.location.com:80"));
ocspconfig3.addCADN(new Name("o=responder3,c=ca"));
ocspconfig3.setAIAChecking(false);
revinfo.addOCSPGroup(new OCSPConfiguration[]{ocspconfig2,ocspconfig3});

Enabling CRL revocation

Optionally, enable CRL revocation checking.

revinfo.addCRLRevocationChecking(true);

Writing the settings

Write out the revocation settings for later usage

revinfo.writePropertiesFile(newFileOutputStream("U:\\Development\\JavaTK\\OCSP\\programmers.properties"),null);

See below the contents of a sample configuration file.

#Revocation Configuration file written by Entrust
#Written on: Mon Jun 05 16:23:29 EDT 2006
 
# OCSP Configuration number: 0
ocspconfig.name.0 = config0
config0.AIAChecking = true
config0.ConnectTimeout = 0
config0.ReadTimeout = 0
config0.IncludeRequestorName = true
config0.IncludeAcceptableResponse = false
config0.Nonce = false
config0.CertIDHashAlgorithm = sha256
 
# OCSP Configuration number: 1
ocspconfig.name.1 = config1
config1.AccessLocation = http://responder2.location.com:80
config1.AIAChecking = true
config1.ConnectTimeout = 0
config1.ReadTimeout = 0
config1.IncludeRequestorName = true
config1.IncludeAcceptableResponse = false
config1.Nonce = false
config1.CertIDHashAlgorithm = sha256
config1.CADN.0 = o=responder2,c=ca
 
# OCSP Configuration number: 2
ocspconfig.name.2 = config2
config2.AccessLocation = http://responder3.location.com:80
config2.AIAChecking = false
config2.ConnectTimeout = 0
config2.ReadTimeout = 0
config2.IncludeRequestorName = true
config2.IncludeAcceptableResponse = false
config2.Nonce = false
config2.CertIDHashAlgorithm = sha256
config2.CADN.0 = o=responder3,c=ca
 
# CRL Configuration:
crl.requireCRL = true
 
# Revocation configuration order defined below
localconfig.0 = config0
localgroup.1 = config1:config2
crlconfig.2 = true

Adding the settings to the user

Create a user settings object.

UserConfigSettings usersettings = new UserConfigSettings();

Add the revocation settings.

UserConfigSettings object.usersettings.setRevocationInfo(revinfo);

Add the revocation settings to the user

User user = new User(usersettings);