This has been added in TPAM version 2.5.915.
TPAM’s certificate authentication now supports Online Certificate Status Protocol (OCSP) to prevent revoked certificates from being used to authenticate to TPAM.
When Java (8u31 and above) runs an applet, by default, it checks the certificates in use to ensure they haven’t been revoked by the Certificate Authority that issued them.
There are two certificates in play:
1 - The certificate used to sign the PSM applet. We use a private certificate to sign the applet to prove its authenticity.
2 - The web server certificate that is installed on TPAM. This is a certificate generated by the customer on their Certificate Authority, and then imported into TPAM.
The certificate we uses to sign the applet is generated by a third party Certificate Authority (CA). Within this signature are some URLs for revocation checking – there are two different methods/protocols used, CRL (certificate revocation list) and OSCP (Online Certificate Status Protocol).
If our private certificate is stolen, we will notify the CA and they will revoke it by adding to the OSCP and CRL lists above.
When Java runs our applet, it will check the above URLs, to ensure the certificate is not listed. This is required to validate the certification.