Milan Tomic wrote:
Hello Sean,
Thank you very much for your help. I've read RFC 3280 and I understand PKIX little better now. :)
Please, could you give me some small example of CertStore (PKIX) usage? Retriving CRLs using HTTP and LDAP protocols and validating that cert is not revoked.
If the certificates in the chain contain CRL Distribution Point extensions with the following criteria:
1 the distribution point specifies a fullName of type URI. 2 The URI is not of type LDAP. 3 TRLIssuer and reasons are not set.
Then revocation checking will be handled automatically by Sun's PKIX CertPathValidator or CertPathBuilder implementation if you have set the system property com.sun.security.enableCRLDP to the value true.
If you have CRLs stored in other locations, such as an LDAP Directory or an in-memory Collection, you will need to instantiate these CertStores and add them using the PKIXParameters.addCertStore method before you validate or build the cert chain.
HTH, Sean
