07 March 2022

How-to enable Certificate revocation List (CRL) validation with Talend ESB Runtime

When certificates are issued they usually have a lifetime of a few years. In some cases it is necessary to terminate the validity of a certificate before the planned end of life. For example if a private key was compromised a certificate should not be valid, as soon as possible.

X.509 certificates (the most common certificate type, used for most internet services) support two different types of certificate revocation:

  1. Online Certificate Status Protocol (OCSP) RFC-6960
    The application that wants to validate a certificate sends a certificate identifier to the OCSP Server for revocation checking. The response tells the client if the certificate was revoked or is still OK to use.
  2. Certificate Revocation List (CRL) RFC-5280
    The application downloads a file that contains a list of revoked certificates and checks if the current certificate is listed in that file.

As you can see already from the RFC number CRL is the older standard which is usually less performant and less up-to-date compared with OCSP. However in this bog post, I will only focus on the CRL approach.

By default most Java applications will not check for certificate revocations as not every certificate contains a revocation URI and it also has a negative performance impact. The same applies to the Talend runtime. However if you need to check for revocations it is easy to activate. All you need to do is to set two system properties:

com.sun.net.ssl.checkRevocation=true
com.sun.security.enableCRLDP=true

You can add these two lines at the end of the runtime/etc/system.properties configuration file.

If you are interested in the complete logging output you can add some debug system properties in the same file as well:

javax.net.debug=all
java.security.debug=all

In the rest of this article I will show you how to create your own certificates that contain a CRL URL to test and validate this setup.