- All Superinterfaces:
Prototype.Api
- All Known Implementing Classes:
RevocationConfig.BuilderBase.RevocationConfigImpl
Certificate revocation configuration.
This configuration determines whether client certificate validation should include checking if
it is still considered valid by the certificate authority.
Types of certificate validation checks:
Types of certificate validation checks:
- CRL - shortcut name for Certificate Revocation List. It is a list of certificates that have been revoked by a certificate authority before their expiration date
- OCSP - shortcut name for Online Certificate Status Protocol. It is a real-time protocol used to check the status of a certificate, providing immediate verification of its validity
- See Also:
-
Nested Class Summary
Modifier and TypeInterfaceDescriptionstatic class
Fluent API builder forRevocationConfig
.static class
RevocationConfig.BuilderBase<BUILDER extends RevocationConfig.BuilderBase<BUILDER,
PROTOTYPE>, PROTOTYPE extends RevocationConfig> Fluent API builder base forRevocationConfig
. -
Method Summary
Modifier and TypeMethodDescriptionstatic RevocationConfig.Builder
builder()
Create a new fluent API builder to customize configuration.static RevocationConfig.Builder
builder
(RevocationConfig instance) Create a new fluent API builder from an existing instance.boolean
Only check the revocation status of end-entity certificates.static RevocationConfig
create()
Create a new instance with default values.static RevocationConfig
Create a new instance from configuration.boolean
enabled()
Flag indicating whether this revocation config is enabled.boolean
Enable fallback to the less preferred checking option.The URI that identifies the location of the OCSP responder.boolean
Prefer CRL over OCSP.boolean
Allow revocation check to succeed if the revocation status cannot be determined for one of the following reasons: The CRL or OCSP response cannot be obtained because of a network error.
-
Method Details
-
builder
Create a new fluent API builder to customize configuration.- Returns:
- a new builder
-
builder
Create a new fluent API builder from an existing instance.- Parameters:
instance
- an existing instance used as a base for the builder- Returns:
- a builder based on an instance
-
create
Create a new instance from configuration.- Parameters:
config
- used to configure the new instance- Returns:
- a new instance configured from configuration
-
create
Create a new instance with default values.- Returns:
- a new instance
-
enabled
boolean enabled()Flag indicating whether this revocation config is enabled.- Returns:
- enabled flag
-
preferCrlOverOcsp
boolean preferCrlOverOcsp()Prefer CRL over OCSP. Default value isfalse
. OCSP is preferred over the CRL by default.- Returns:
- whether to prefer CRL over OCSP
-
checkOnlyEndEntity
boolean checkOnlyEndEntity()Only check the revocation status of end-entity certificates. Default value isfalse
.- Returns:
- whether to check only end-entity certificates
-
fallbackEnabled
boolean fallbackEnabled()Enable fallback to the less preferred checking option.
If the primary method for revocation checking fails to verify the revocation status of a certificate (such as using a CRL or OCSP), the checker will attempt alternative methods. This option ensures whether revocation checking is performed strictly according to the specified method, or should fallback to the one less preferred. OCSP is preferred over the CRL by default.- Returns:
- whether to allow fallback to the less preferred checking option
-
softFailEnabled
boolean softFailEnabled()Allow revocation check to succeed if the revocation status cannot be determined for one of the following reasons:- The CRL or OCSP response cannot be obtained because of a network error.
- The OCSP responder returns one of the following errors specified in section 2.3 of RFC 2560: internalError or tryLater.
- Returns:
- whether soft fail is enabled
-
ocspResponderUri
The URI that identifies the location of the OCSP responder. This overrides theocsp.responderURL
security property and any responder specified in a certificate's Authority Information Access Extension, as defined in RFC 5280.- Returns:
- OCSP responder URI
-