Download Help

Printable Version

How to configure certificate revocation checking from the Java Control Panel?

This article applies to:
  • Platform(s): All Platforms
  • Java version(s): 7.0, 8.0

In order to enhance security, the certificate revocation checking feature has been enabled by default starting in Java 7 Update 25. Before Java will attempt to launch a signed application, the associated certificate will be validated to ensure that it has not been revoked by the issuing authority. This feature has been implemented using both Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) mechanisms.

Different options are available within the Java Control Panel to configure how the revocation checks are performed for the application you are trying to run.

Revocation options within the Java Control Panel

  • To access these options launch the Java Control Panel.
  • Click on the Advanced tab.
  • Restart the browser to enable the changes.

Find the Java Control Panel

» Windows
» Mac OS X

revocation check configuration options

Perform Certificate revocation checks on
Before a signed applet or Java Web Start application is run, the certificate associated with the application will be checked to ensure it has not been revoked. If a certificate has been revoked, any application using that certificate is not allowed to run. This check can be disabled, but that is not recommended.
Options for certificate revocation checking:
  • Publishers certificate only
    This option will check for a certificate associated with the publisher.
  • All certificates in the chain of trust (default and recommended)
    This option will check for all the certificates used by the application.
  • Do not check (not recommended)
Check for certificate revocation using
The options indicate methods used to determine if a certificate has been revoked.
  • Certificate Revocations Lists (CRLs)
    This method needs lists to be generated and published periodically by Certificate Authority (CA) to keep the it current.
  • Online Certificate Status Protocol (OCSP)
    This method performs a real time certificate status check with CA making it more reliable and faster.
  • Both CRLs and OCSP (default and recommended)

You might also be interested in:

Select Language | About Java | Support | Developers | Feedback
Privacy  | Terms of Use | Trademarks | Disclaimer