While upgrading the version of BouncyCastle libraries used, I had to re-write the OCSP certificate validation code because BC split the PKIX code into a separate module and renamed many classes & methods. During this re-write, I made the code compile using the new logic, but I am unsure that OCSP validation needs to occur outside of the SSL/TLS negotiation, or that the current mechanism is correct.
- Can we use Java's built-in OCSP validation? 
- Is the current mechanism correct, where a local cache is used with custom internal classes representing OCSP requests and statuses, and it queries a pre-specified OCSP responder as opposed to the per-certificate OCSP responder listed in each certificate's Authority Information Access OCSP URI ? I think this design decision stems from a legacy environment which may not apply to current use cases.
More information: