问题描述

如果仅使用客户端的java.security.cert.X509Certificate，如何使用OCSP手动检查java中的证书撤销状态？我看不清楚这样做的明确方法。

How do I manually check for certificate revocation status in java using OCSP, given just a client's java.security.cert.X509Certificate? I can't see a clear way to do it.

或者，我可以让tomcat自动为我做，你怎么知道你的解决方案是真的？

Alternatively, can I make tomcat do it for me automatically, and how do you know your solution to be true?

推荐答案

我找到了最优秀的解决方案：

I found a most excellent solution:

        /**
   54    * This is a class that checks the revocation status of a certificate(s) using
   55    * OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of
   56    * the CertPathValidator framework. It is useful when you want to
   57    * just check the revocation status of a certificate, and you don't want to
   58    * incur the overhead of validating all of the certificates in the
   59    * associated certificate chain.
   60    *
   61    * @author Sean Mullan
   62    */

它有一个方法检查（X509Certificate clientCert，X509Certificate issuerCert），可以解决这个问题！

It has a method check(X509Certificate clientCert, X509Certificate issuerCert) that does the trick!

这篇关于OCSP吊销客户端证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！