search cancel

Unable to load OneClick Client: RevocationChecker$StatusUnknownException Connection reset

book

Article ID: 227042

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction


javax.net.ssl.SSLHandshakeException: com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.net.SocketException: Connection reset

 

When trying to open oneclick console I receive the following error:

<?xml version="1.0" encoding="utf-8"?>
<!-- JNLP File for Session Client -->
<jnlp spec="1.0+" codebase="https://OneClickServer.acme.net:8443/spectrum"  href="">
  <information>
    <title>DX NetOps Spectrum OneClick Console on OneClickServer.acme.net</title>
    <vendor>CA Technologies, A Broadcom Company</vendor>
    <homepage href="index.jsp"/>
    <description>DX NetOps Spectrum OneClick Console</description>
    <description kind="short">DX NetOps Spectrum OneClick Console</description>
    <icon href="images/i_icon.jpg"/>
    <!-- <offline-allowed/> -->
  </information>

  <security>
    <all-permissions/>
  </security>

    <!-- If you wish to force 64bit or 32bit OC client, replace <resources> tag with one that
         specifies an architecture - "amd64" for x64 and "x86" for x32, see below examples.

         You can copy oneclick.jnlp to oneclick32.jnlp or oneclick64.jnlp, and customize platform & memory,
         and then new launch points will be added automatically to OC admin page.

         Note: For arch specifiers to work properly, you must exactly match the JRE version or
               make sure the "Allow new versions" checkbox is checked in the supported
               JRE Version configuration.

  <resources arch="amd64"> 
  <resources arch="x86">
    -->
  <resources>

    <!-- This is used for the alarm notification dialog and will
         prevent the background color from being shown, so you will
         not get a flash of color.  In order for this property to
         be set you need to have the following
           deployment.javaws.secure.properties=sun.awt.noerasebackground
         in the deployment.config file which lives in 
           <Windows Directory>\Sun\Java\Deployment\deployment.config on Windows
              and
           /etc/.java/deployment/deployment.config on Unix.
    -->
    <property name="sun.awt.noerasebackground" value="true"/>
    <!-- To get rid of Java Authentication Required dialog -->
    <property name="javaws.cfg.jauthenticator" value="true" />

    <j2se version="1.8.0_292+" java-vm-args="--add-modules=java.se.ee" href="http://java.sun.com/products/autodl/j2se"
          initial-heap-size="96m" max-heap-size="1024m"/>

    <jar href="lib/clientconsole.jar;no_javaws_cheat"/>
    <jar href="lib/clientalarm.jar;no_javaws_cheat"/>
    <jar href="lib/clienttopo.jar;no_javaws_cheat"/>
    <jar href="lib/jgraphx.jar;no_javaws_cheat"/>
    <jar href="lib/webswing-api.jar;no_javaws_cheat"/>
    <jar href="lib/clientapp.jar;no_javaws_cheat"/>
    <jar href="lib/clientevent.jar;no_javaws_cheat"/>
    <jar href="lib/clientadmin.jar;no_javaws_cheat"/>
    <jar href="lib/util.jar;no_javaws_cheat"/>
    <jar href="lib/utilsrv.jar;no_javaws_cheat"/>
    <jar href="lib/utilnet.jar;no_javaws_cheat"/>
    <jar href="lib/utilapp.jar;no_javaws_cheat"/>
    <jar href="lib/utilgui.jar;no_javaws_cheat"/>
    <jar href="lib/jecds.jar;no_javaws_cheat"/>
    <jar href="lib/global.jar;no_javaws_cheat"/>
    <jar href="lib/productsuite.jar;no_javaws_cheat"/>
    <jar href="lib/jdom.jar;no_javaws_cheat"/>
    <jar href="lib/xercesImpl.jar;no_javaws_cheat"/>
    <jar href="lib/xml-apis.jar;no_javaws_cheat"/>
    <jar href="lib/commons-collections.jar;no_javaws_cheat"/>
    <jar href="lib/mindterm.jar;no_javaws_cheat"/>
    <jar href="lib/oneclickclient.jar;no_javaws_cheat"/>
    <jar href="lib/occversion.jar;no_javaws_cheat"/>
    <jar href="lib/icu4j-55_2.jar;no_javaws_cheat"/>
    <extension name="RSA Crypto-J" href="cryptoj.jnlp"/>
    <!-- To use embedded browser in OneClick, you need to copy
         3rd party jars from CDs (DJNativeSwing.jar, DJNativeSwing-SWT.jar,
         swt-win32.jar, swt-wlinux.jar, jna.jar)
         to <...>/tomcat/webapps/spectrum/lib, and uncomment
         following line.
    -->
    <!--
    <extension name="Embedded Browser" href="embedded-browser.jnlp"/>
    -->
    <jar href="lib/contrib/clientjdcm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientbluct.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmotbb.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientligowav.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientnege.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientacpa.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmib.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientwily.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmpls.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientfndry.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmmsw.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthost.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientveloe.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientiprm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcommscp.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientntscr.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthuawe.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientpoly.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientsvdsk.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthpprocurve.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthstca.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientvdm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientfeye.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientqos.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthph3c.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientaruba.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienteffip.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientsanm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmerak.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthirs.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientsdm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/json.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcpqnk.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientpcktr.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientec.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcluster.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientsvpk.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcrpo.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientf5bigip.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientionmm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientvptl.jar;no_javaws_cheat"/>
<jar href="lib/contrib/version.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientften.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienttoshi.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientgigam.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientsdn.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmitsu.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientgeltr.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienteventcorrelation.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientjunpr.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientpalo.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientvorm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientvpls.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientpolicy.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientavin.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientrvbed.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientadisc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmulticast.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientscm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientextrm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientapc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcrsbm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientnetqos.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcitrix.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientfubld.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientinfoblox.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienttelco.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientntopt.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientteldat.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcivpn.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthpbld.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientwlc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientvhm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientalctl.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientfosc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientwwpck.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientspm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientadva.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientlmtmgr.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientavoc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmtel.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientnetop.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientrex.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientadtrn.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcisco.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmtrix.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientairsp.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientoacc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientharis.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientades.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientaudc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientroam.jar;no_javaws_cheat"/>
<jar href="lib/contrib/utilncm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientrosc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmotnt.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcmls.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientslm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientciucs.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientrcom.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientversa.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcss.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientsecu.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientliebt.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientlancm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientforti.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmisen.jar;no_javaws_cheat"/>
<jar href="lib/cont
jnlp file truncated after 10K

*************************************************

javax.net.ssl.SSLHandshakeException: com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.net.SocketException: Connection reset
 at sun.security.ssl.Alert.createSSLException(Unknown Source)
 at sun.security.ssl.TransportContext.fatal(Unknown Source)
 at sun.security.ssl.TransportContext.fatal(Unknown Source)
 at sun.security.ssl.TransportContext.fatal(Unknown Source)
 at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
 at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
 at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
 at sun.security.ssl.SSLHandshake.consume(Unknown Source)
 at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
 at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
 at sun.security.ssl.TransportContext.dispatch(Unknown Source)
 at sun.security.ssl.SSLTransport.decode(Unknown Source)
 at sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
 at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
 at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
 at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
 at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
 at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
 at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
 at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
 at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
 at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
 at java.security.AccessController.doPrivileged(Native Method)
 at java.security.AccessController.doPrivilegedWithCombiner(Unknown Source)
 at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
 at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
 at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
 at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
 at com.sun.deploy.net.BasicHttpRequest.doHeadRequestEX(Unknown Source)
 at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
 at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
 at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
 at com.sun.deploy.cache.ResourceProviderImpl.getJreResource(Unknown Source)
 at com.sun.javaws.LaunchDownload._downloadExtensionsHelper(Unknown Source)
 at com.sun.javaws.LaunchDownload.downloadExtensionsHelper(Unknown Source)
 at com.sun.javaws.LaunchDownload.downloadExtensions(Unknown Source)
 at com.sun.javaws.Launcher.prepareLaunchFile(Unknown Source)
 at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
 at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
 at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
 at com.sun.javaws.Launcher.launch(Unknown Source)
 at com.sun.javaws.Main.launchApp(Unknown Source)
 at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
 at com.sun.javaws.Main.access$000(Unknown Source)
 at com.sun.javaws.Main$1.run(Unknown Source)
 at java.lang.Thread.run(Unknown Source)
Caused by: com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.net.SocketException: Connection reset
 at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
 at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
 at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
 at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
 at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
 at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
 at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
 at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
 ... 42 more
 Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException: sun.security.provider.certpath.PKIX$CertStoreTypeException: java.net.SocketException: Connection reset
  at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
  ... 49 more
 Caused by: sun.security.provider.certpath.PKIX$CertStoreTypeException: java.net.SocketException: Connection reset
  at sun.security.provider.certpath.URICertStore.engineGetCRLs(Unknown Source)
  at java.security.cert.CertStore.getCRLs(Unknown Source)
  at sun.security.provider.certpath.DistributionPointFetcher.getCRL(Unknown Source)
  at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(Unknown Source)
  at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(Unknown Source)
  at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(Unknown Source)
  at com.sun.deploy.security.RevocationChecker$3.run(Unknown Source)
  at com.sun.deploy.security.RevocationChecker$3.run(Unknown Source)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sun.deploy.security.RevocationChecker.getCRLsPrivileged(Unknown Source)
  ... 50 more
 Caused by: java.net.SocketException: Connection reset
  at java.net.SocketInputStream.read(Unknown Source)
  at java.net.SocketInputStream.read(Unknown Source)
  at java.io.BufferedInputStream.fill(Unknown Source)
  at java.io.BufferedInputStream.read1(Unknown Source)
  at java.io.BufferedInputStream.read(Unknown Source)
  at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
  at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
  at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
  at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
  at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
  at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
  at java.security.AccessController.doPrivileged(Native Method)
  at java.security.AccessController.doPrivilegedWithCombiner(Unknown Source)
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
  ... 60 more
Caused by: java.net.SocketException: Connection reset
 at java.net.SocketInputStream.read(Unknown Source)
 at java.net.SocketInputStream.read(Unknown Source)
 at java.io.BufferedInputStream.fill(Unknown Source)
 at java.io.BufferedInputStream.read1(Unknown Source)
 at java.io.BufferedInputStream.read(Unknown Source)
 at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
 at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
 at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
 at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
 at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
 at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
 at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
 at java.security.AccessController.doPrivileged(Native Method)
 at java.security.AccessController.doPrivilegedWithCombiner(Unknown Source)
 at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
 at sun.security.provider.certpath.OCSP.getOCSPBytes(Unknown Source)
 at sun.security.provider.certpath.OCSP.check(Unknown Source)
 at sun.security.provider.certpath.OCSP.check(Unknown Source)
 at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source)
 at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.sun.deploy.security.RevocationChecker.doPrivilegedOCSPCheck(Unknown Source)
 ... 50 more

Environment

Release : 21.2, 22.2

Component : Spectrum OneClick

Cause


When java processes the jar files that make up the OneClick console it checks the SSL Certificate used to sign
   the jar files to identify the validity of the software vendor (CA Technologies / Broadcom in this case). 

Part of this process is to verify that the certificate used has not been revoked using a OCSP revocation check to
   the Certificate Authority's server. In the case of NetOps 21.2.x the jar files are signed by Symantec and Digicert so
   OCSP calls via HTTP are made to those external servers to verify the certificates are still valid. The calls here are
   failing and in turn JRE does not continue to load the console.


Resolution


In this case, there had been network changes made which blocked the HTTP calls to Symantec and Digicerts certificate
   servers causing the console to fail to launch (connection reset). The changes made in the network were corrected.

Additional Information

 

Deeper dive

Note: I used Java's jarsigner to see the certificate authority that signed the cert

# cd /usr/Spectrum/tomcat/webapps/spectrum/lib

# /usr/Spectrum/Java/bin/jarsigner -verify -verbose -certs clientapplet.jar |grep -A 7 MANIFEST
s         695 Tue Jun 14 01:49:20 UTC 2022 META-INF/MANIFEST.MF


      >>> Signer
      X.509, CN=Broadcom Inc, OU=ESD - AIOps, O=Broadcom Inc, L=San Jose, ST=California, C=US
      [certificate is valid from 6/1/21 12:00 AM to 6/5/24 11:59 PM]
      X.509, CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
      [certificate is valid from 4/29/21 12:00 AM to 4/28/36 11:59 PM]
      X.509, CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US

 

I downloaded the intermediary certificate from Digicert

https://www.digicert.com/kb/digicert-root-certificates.htm
https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem


 Then used `keytool -printcert -file DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem` to
    find the revocation servers

AIA
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.digicert.com
,
   accessMethod: caIssuers
   accessLocation: URIName: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
]
]


CRL
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl3.digicert.com/DigiCertTrustedRootG4.crl]
]]

 

#ping ocsp.digicert.com
PING cs9.wac.phicdn.net (72.21.91.29): 56 data bytes
64 bytes from 72.21.91.29: icmp_seq=0 ttl=55 time=10.121 ms
64 bytes from 72.21.91.29: icmp_seq=1 ttl=55 time=10.511 ms
64 bytes from 72.21.91.29: icmp_seq=2 ttl=55 time=10.001 ms


JRE will make a revocation check and in this case (cert certificates may change to another CA ) to ocsp.digicert.com