GlassFish does have a custom CRL feature, but that is checked during SSL interactions and is actually configured inside the http-listener as a property :
<http-listener acceptor-threads="1" address="0.0.0.0" blocking-enabled="false" default-virtual-server="server" enabled="true" family="inet" id="http-listener-2" port="8181" security-enabled="true" server-name="" xpowered-by="true">
<ssl cert-nickname="s1as" client-auth-enabled="false" ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>
<property name="crlFile" value="${com.sun.aas.instanceRoot}/config/crl.pem"/>
</http-listener>
See :
http://weblogs.java.net/blog/kumarjayanti/archive/2007/11/ssl_and_crl_che.html
for more details.
Sorry to say that this crlFile if configured is not used during webservices interactions. If this is important for you please file an RFE on Metro (
https://wsit.dev.java.net).
When you set revocationEnabled for the ValidatorConfiguration, it actually enables the underlying JSSE mechanisms (Revocation List based CRL checking, and Revocation Checking Using OCSP).
JSSE supports Http URL based Revocation Checking wherein the Revocation List will be dynamically downloaded from the Ceritificate Authority. For this your certs need to have the CRLDistributionPoints extension which specifies the URL of the downloadable CRL file from the CA.
For revocation checking based on OCSP to work the certificate would need to have the URL of an online certificate status protocol (OCSP) server in the Authority Info Access (AIA) extension of the certificate.
Thanks.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]
http://forums.java.net/jive/thread.jspa?messageID=320782