There exist two java api references:
The second link provide the documentation around the
CertPath class how to implement your own certification path verification. So you have to handle the whole PKI certificate chain by your own
(e.g. validation of signatures and certificates up to the root). Furthermore, it provide you with the information of the
PKIX the default algorithm for certificate validation.
The first link show how to use the
TrustManager which uses the
PKIX algorithm. Beside certificate path validation with
PKIX contains the
TrustManager more mechanism to establish
PKIX algorithm also provide a mechanism for revocation (
OCSP). To activate OCSP take a deeper look at the first link section PKIX TrustManager Support.
If the init(KeyStore ks) method is used, default PKIXParameters are used with the exception that revocation checking is disabled. It can be enabled by setting the system property com.sun.net.ssl.checkRevocation to true.
And you have to set the security property
ocsp.enable to true. So basically, you have nothing more to do then
System.setProperty("com.sun.net.ssl.checkRevocation", "true"); Security.setProperty("ocsp.enable", "true");
If you don't want to re-implement or exchange the verification chain mechanism which is provided already with the
PKIX algorithm then you should definitely use the first link. If you need more information about the
PKIX algorithm, implement your own or do just certification validation and not establishing
TLS/SSL communication then you should check the second link .