The StaticPKIXFactoryBean has been enhanced to support this, see IDP-1706.

I overlooked the fact you could just alias the com.sun.net.ssl.checkRevocation system property in the duo-oidc.properties or directly reference that in the CertPathPKIXValidationOp

Ah right, there does seem to be quite a bit of difference between the trust validators and engines used - native Sun and opensaml. It also only seems to do the checks once (not sure when a recheck occurs). Also supports OCSP stabling.

So, to enable CRL and OCSP checking on the Nimbus client you will need to set the property `idp.duo.oidc.nimbus.checkRevocation` to true in the `duo-oidc.properties` file *AND* do one or more of the following:

1. Add an 'approved' (issuer and signature verified - at least) static CRL

2. Enabled CRLDP via the system property com.sun.security.enableCRLDP

3. Enable OCSP via the security property oscp.enabled

I would probably suggest 2 and 3, such that it first tries OCSP endpoint and falls back to a CRL via the listed distribution points.

How, or even if, we try to allow enablement of a 'soft' fail option e.g. on network timeout, has not been determined.

And, it seems the certificate revocation checks performed via the Sun trust manager/engine is different than those performed via the opensaml PKIXX509CredentialTrustEngine. More specifically, it is checking both EE and intermediate certificate revocation statuses, whereas when executed via the opensaml engine it only checks the EE cert. I have no idea why at this stage, I can not see how that could affect the outcome, ultimately they both use the same Sun revocation checker.