Technote: Certificate Revocation

In this TechNote, we take a look at Certificate Revocation options and discuss the protocols and tradeoffs when using. This focuses on securing the underlying infrastructure communication between Daml Application components.

  • CRLs, OCSP, OCSP Stapling, Must-Staples, CRLSets
  • Simple Java example to allow you to see the protocol in action in Wireshark
  • How to enable OCSP revocation checking in the Daml Ledger API Server

Thank you for this post, this is very helpful, as I had been thinking about DC & DAs on Daml. I confess that currently, my DC-foo, is poor.

For the JDK, you can use the jSSLKeyLog agent to capture the TLS session key to a file and then configure Wireshark to read…

Does this mean that the TLS session key is actually sent in cleartext? But hidden in the packet flow?

1 Like

The TLS key is never sent in clear text. TLS protocol and X509 certificates allow both sides to negotiate the session key without ever exchanging in cleartext.

jSslKeyLog uses a Java add-in agent that captures the session keys in memory during negotiation and writes to a local file. This is for debugging only (for the obvious reason that it exposes the tunnel secrets) but does allow you to see the cleartext packet capture for TLS. Otherwise many parts of the protocol (for example OCSP Stapling onto the Certificate) are hidden from view.


Thank you for the reply :+1:t2:

1 Like

Great Article Mister Newman. Thanks for taking the time and energy to write this all up!

1 Like