How to configure certificate revocation checking from the Java Control Panel?
This article applies to:
- Platform(s): All Platforms
- Java version(s): 7.0, 7u25
In order to enhance security, the certificate revocation checking feature has been enabled by default starting
in Java 7 Update 25. Before Java will attempt to launch a signed application, the associated certificate will be validated to ensure that it has not been revoked by the issuing authority. This feature has been implemented
using both Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) mechanisms.
Different options are available within the Java Control Panel to configure how the revocation checks are performed for the application you are trying to run.
Revocation options within the Java Control Panel
Perform Certificate revocation checks on
Before a signed applet or Java Web Start application is run, the certificate associated with the application will be checked to ensure it has not been revoked. If a certificate has been revoked, any application using that
certificate is not allowed to run. This check can be disabled, but that is not recommended.
Options for certificate revocation checking:
- Publishers certificate only
This option will check for a certificate associated with the publisher.
- All certificates in the chain of trust (default and recommended)
This option will check for all the certificates used by the application.
- Do not check (not recommended)
Check for certificate revocation using
The options indicate methods used to determine if a certificate has been revoked.
- Certificate Revocations Lists (CRLs)
This method needs lists to be generated and published periodically by Certificate Authority (CA) to keep the it current.
- Online Certificate Status Protocol (OCSP)
This method performs a real time certificate status check with CA making it more reliable and faster.
- Both CRLs and OCSP (default and recommended)
You might also be interested in: