The ADSS SCVP Service supports the RFC5055 Server-based Certificate Validation Protocol (SCVP), a protocol for determining the path between an X.509 digital certificate and a trusted root; and the validation of that path according to a particular validation policy. ADSS SCVP Service supports two modes of operation which may be used in combination or separately:
Delegated Path Discovery (DPD) - used to discover the path between the subject certificate and a trusted root, and
Delegated Path Validation (DPV) - to validate the path according to a pre-defined validation policy in ADSS SCVP Service.
Multiple validation policies can be established for each registered CA by applying a range of advanced validation options. Validation policies can also be defined for non-registered intermediate CAs.
Delegated Path Discovery (DPD)
When trying to discover the certificate path between an X.509 digital certificate and a trusted root, the ADSS SCVP Service performs the following actions in the given order:
Builds a path using the Local Trust Anchor (i.e. ascertains a path among all certificate authorities that are registered in the ADSS Server's Trust Manager module)
By using the intermediate certificates/Trust Anchor, sent in the SCVP request to the ADSS SCVP Service
By using the subject certificate's AIA extension
By using the certificates found in the configured LDAP repositories
Delegated Path Validation (DPV)
Once the certification path is discovered/determined then it is validated using the following tests:
All certificates are checked to ensure they are not expired
All certificates are checked to make sure they are not revoked. One can determine the revocation status of a certificate using the locally held CRL in CRL Monitor module or through the CDP/AIA extension based on the validation policy defined in Trust Manager > Validation Policy module
Any nameConstraints extensions are checked for permitted or excluded sub-trees
Name chaining is performed on the determined chain
If defined in the validation policy then policyMappings extension is checked
Following image shows the ADSS SCVP Service's home page and sub-modules, details of which are given in the next sections:
The following sections describe how to configure the ADSS SCVP Service.