Well I began with PKI a year ago with RFID system at school. This is because the certificates are changed every year and I want to be sure that the data signed was signed with a valid key. The other question is about revocation, I don't understand what's it for, can anyone explain me? Is this enough to say that the certificate is valid?That entire system was copied wholesale for use in SSL, and X.509 certificates became the way to verify the identity of a server.

net validating x509 certificates-43

I just popped over here so don't have enough reputation yet to down vote, but at the very least you should verify the signatures of each certificate in the chain up to the root cert and should verify the root cert itself.

The only time when verification of the root cert gets to be an issue is when Java doesn't include it in its trusted certs by default (Equifax isn't in there, for example).

In theory if everything else passes, checking a revocation list makes sense, but only after doing all that lighter weight work.

In addition to what @Tom Leek's said about the certification path API, it seems that you're talking about "TLS certificates", which I presume implies you may be using your X.509 certificate within the scope of TLS.

Fortunately, Java itself comes with some code for that; look it up in the is the PKI equivalent of "Whoops, sorry, disregard my previous message".

It is used to declare that a given certificate shall not be used, even though all the paraphernalia of signatures and name constraints and policy trees and key usages says that everything is fine with it.

What if a server was compromised and the certificate no longer trusted?

Certificate revocation allows you to "revoke" individual certificates that should no longer be accepted.

I'm assuming Sun/Oracle JRE 6, but the implementation will vary depending on the security providers installed.