检查 X509 证书吊销 [英] Checking a X509 Certificate Revocation

问题描述

是否可以检查任何 X509 证书是否被吊销?实际上，我制作了一个 Java 应用程序，它只获取一个常规的 https 链接并输出 X509 证书.我想在我的应用程序中添加一个服务来检查此证书是否已被吊销?

Is it possible to check any X509 Certificate if it is revoked or not? Actually, I made a Java application that just gets a regular https link and outputs the X509 certificate. I want to add a service in my application that check if this certificate has been revoked or not?

是否有教程或简单的代码可以指导我这样做.

Is there a tutorial or a simple code to start with that can guide me to do that.

提前致谢

推荐答案

是的，当然可以查看吊销状态.如果要手动"执行此操作，则需要从证书扩展中提取相应信息，然后检索 CRL 或发送 OCSP 请求.

Yes, of course the revocation status can be checked. If you want to do this "by hand", you need to extract the corresponding information from the certificate extensions, then retrieve the CRL or send the OCSP request.

但这是一种非常复杂的方法，因为它涉及对 CRL 和 OCSP 响应的签名和证书的验证.

But this is a very complex method, because it involves validation of signatures and certificates of the CRL and of the OCSP response.

更简单的方法是使用一些现有的机制.答案(https://stackoverflow.com/a/8507905/47961 和 https://stackoverflow.com/a/10068006/47961) 似乎提供了一些链接和解决方案.

Simpler ways are to use some existing mechanism. The answers ( https://stackoverflow.com/a/8507905/47961 and https://stackoverflow.com/a/10068006/47961) seem to provide some links and solutions.

如果你需要更多的控制，BouncyCastle 似乎有一些验证机制.我们的 SecureBlackbox 还提供强大而灵活的证书验证器(并且包括 OCSP 和 CRL 检查).

If you need more control, BouncyCastle seems to have some validation mechanisms. Our SecureBlackbox offers powerful and flexible certificate validator as well (and it includes OCSP and CRL checks).

这篇关于检查 X509 证书吊销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！