CRL checking at secured web service call, Metro 2.0.1, Metro 2.1
I have a normal, Metro compliant web service. It is created in NetBeans, its configuration is based on WSIT. Web service security is enabled, security mechanism is Mutual Certificates Security.
I created a client certificate and I imported the issuer CA cert into the Glassfish's cacerts.jks truststore as a trusted cert. Public key of client cert was not imported into this truststore, only the CA. If I know well this is the suggested conception to this in production environment.
Running the client I saw everything was fine, client invoked webservice successful.
Client cert has CRLDistributionPoints extension, it contains a valid CRL URL (Cert of CA has not such extension). I revoked client cert, and I saw CRL was refreshed on referred URL, containing the serial of the client cert. So, it's ok.
But after revokation I experienced Metro does not use CRLDistributionPoints extension of client cert at all,web service call was successful, in spite of client certificate was revoked!
Analyzing server log I cannot any track of CRL validation. I debugged the certpath to this, I added this JVM parameter to the Glassfish: -Djava.security.debug=certpath
I also enabled Glassfish to check CRL in domain.xml: