使用Java检查证书吊销状态
[英]Check certificate revocation status with Java
问题描述
Is it possible to implement revocation checking on a digital certificate (a *.cer file) with a Java program, without any connection to the Internet by the program? 
是否可以使用Java程序在数字证书( *.cer文件)上执行吊销检查,而无需该程序与Internet的任何连接?
I can download the CRL from a CA's web site and put it on the server where the program is running. 我可以从CA的网站上下载CRL ,并将其放在运行程序的服务器上。 How does my program check the certificate's revocation status against that downloaded CRL ? 我的程序如何根据下载的CRL检查证书的吊销状态?
1 个解决方案
解决方案1
0 已采纳 2015-03-09 15:31:31
If you want to rely on your CRL, you have to keep the CRL up to date.
如果你想依靠你的CRL, 你必须保持CRL是最新的。 I do not recomment this. 我不建议这样做。 When to update the CRL?
何时更新CRL? CRLs may contain an expiration date, in which case you need to download the "newer-released" CRL after that date. CRL可能包含到期日期,在这种情况下,您需要在该日期之后下载“较新发布的” CRL。 (sometimes CA publish CRLs before their expiration date, you should check that as well) (有时CA会在CRL的过期日期之前发布CRL,您也应该检查一下) To rely solely on CRLs you need to check the 'revokedCertificates' field from the X509CRL .
单纯依靠的CRL您需要从检查“revokedCertificates”字段X509CRL 。 If your certificate is contained in the collection it was revoked. 如果您的证书包含在集合中,则该证书已被撤销。 Keep in mind to check the revocation date if it is on the list. 请记住检查吊销日期是否在列表中。
I would recomment to read the RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile as well. 我建议阅读RFC 5280:Internet X.509公钥基础结构证书和证书吊销列表(CRL)配置文件 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.