I'm writing a webapp which requires incoming connections to use client certificates for security. I've set it up to only accept secure connections, and to use clientAuth=true.
I've been trying to check that it rejects certificates which have been revoked, but it doesn't seem to be checking the CRL. This is the first time I've really tried using CRLs so it's possible/likely I've done something wrong...
Test setup:
After setting this up, I've tried making connections to the application using both certificates, however it lets both connect successfully, even though one of them is revoked?
Is there a setting I've missed in Tomcat that makes it check the CRL distribution point when it receives a client certificate? I would have thought that would be default behaviour.
I've found various references to settings which allow you to embed a crl location into the Connector in tomcat - that isn't what I'm looking for. This system will eventually be configured to accept certificates from a number of different CAs.
Assuming you're using the Oracle/OpenJDK JRE, if you scroll down at the bottom of the Certification Path API guide (Appendix B), you'll find CRLDP can be enabled with the com.sun.security.enableCRLDP system property:
Support for the CRL Distribution Points extension is available. It is disabled by default for compatibility and can be enabled by setting the system property
com.sun.security.enableCRLDPto the valuetrue.
You may also be interested in the following section, about OCSP.