0

Our web application uses applets for many of its functions, and we are currently signing those applets with a CA issued certificate. The CA provides a Revocation List. Several of the sites using our application are closed networks, with no access to the internet, and we are trying to figure out how to get the CRL onto those networks, and checked when a certificate is used.

From what I have found so far, we have the option to fully disable CRL checking, in the Java options, but I’m not sure this is the best option. Would we get security warnings when launching applets if we did this? Additionally, it may become a requirement that we check the CRL.

So I think the real questions here are:

1: How do we point Java at the CRL located on our closed network?

2: Can we place it on the server, or does it have to be deployed to each machine?

3: If there are settings that have to be in place on each machine, is there a good option for pushing them out from the server?

4

1 回答 1

0

这是一个老问题,但我现在也面临同样的问题......出于安全考虑,在我的情况下禁用检查 CRL 不是一个选项。最好的选择是确保对 CRL 和 OCSP 响应者的 Internet 访问。我也会在这里引用 OCSP 装订,但我认为这不是代码签名方案中的选项,因为 OCSP 装订仅在存在 TLS 握手的情况下工作。

另一种选择可能是维护所需 CRL 的最新本地副本并使用虚假 DNS 记录。这样,尝试访问 CRL 的客户端将被重定向到本地服务器,并带有原始 CRL 的副本。也许您必须创建一个 Web 服务器,并让一个 cron 脚本每天获取每个 CRL 的副本。然后,虚假 DNS 记录应指向该服务器。

于 2021-07-14T10:27:06.263 回答