Configuring Certificate Revocation

Certificate Revocation in JSSE can be done through two means: certificate revocation lists (CRLs) and OCSP.

Certificate Revocation can be very useful in situations where a server’s private keys are compromised, as in the case of Heartbleed.

Certificate Revocation is disabled by default in JSSE. It is defined in two places:

To enable OCSP, you must set the following system properties on the command line:


After doing the above, you can enable certificate revocation in the client:

ssl-config.checkRevocation = true

Setting checkRevocation will set the internal ocsp.enable security property automatically:"ocsp.enable", "true")

And this will set OCSP checking when making HTTPS requests.


Enabling OCSP requires a round trip to the OCSP responder. This adds a notable overhead on HTTPS calls, and can make calls up to 33% slower. The mitigation technique, OCSP stapling, is not supported in JSSE.

Or, if you wish to use a static CRL list, you can define a list of URLs:

ssl-config.revocationLists = [ "" ]

Further Reading