Btw, I have two questions:
Is it correct that if I set Security.property ocsp.enable=true and com.sun.security.enableCRLDP=true, my application checks certificates in trust stores for revocation (CRL or OCSP) by default?
How can I customize PKIXRevocationChecker implementation logic on spring boot application or on non-boot application?
Thank you in advance
For #1, if your application is using the PKIX implementation of the java.security.cert.CertPathValidator API to validate certificate chains, then revocation checking is enabled by default. It can be disabled by passing false to the setRevocationEnabled method of java.security.cert.PKIXParameters. When the ocsp.enable security property is set to true, OCSP is used to check revocation (in addition to CRLs). When the com.sun.security.enableCRLDP is set to true, it uses the information in a certificate's CRL Distribution Points extension (in addition to CertStores that are specified) to find the CRL.
Also, in JDK 8, the PKIXRevocationChecker API was added, which allows more control over how revocation checking is performed.
See the PKI Programmer's Guide for more details: https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#PKIXRevocationChecker