Ascertia
Help & Support Center
Search:
Contents
Display Legacy Contents

IndexBookmarkPrint

Home > ADSS SCVP Service

ADSS SCVP Service

The ADSS SCVP Service supports the RFC5055 Server-based Certificate Validation Protocol (SCVP), a protocol for determining the path between an X.509 digital certificate and a trusted root; and the validation of that path according to a particular validation policy. ADSS SCVP Service supports two modes of operation which may be used in combination or separately:

  • Delegated Path Discovery (DPD) - used to discover the path between the subject certificate and a trusted root, and
  • Delegated Path Validation (DPV) - to validate the path according to a pre-defined validation policy in ADSS SCVP Service.
Multiple validation policies can be established for each registered CA by applying a range of advanced validation options. Validation policies can also be defined for non-registered intermediate CAs.

Delegated Path Discovery (DPD)

When trying to discover the certificate path between an X.509 digital certificate and a trusted root, the ADSS SCVP Service performs the following actions in the given order:
  • Builds a path using the Local Trust Anchor (i.e. ascertains a path among all certificate authorities that are registered in the ADSS Server's Trust Manager module)
  • By using the intermediate certificates/Trust Anchor, sent in the SCVP request to the ADSS SCVP Service
  • By using the subject certificate's AIA extension
  • By using the certificates found in the configured LDAP repositories
Delegated Path Validation (DPV)

Once the certification path is discovered/determined then it is validated using the following tests:
  • All certificates are checked to ensure they are not expired
  • All certificates are checked to make sure they are not revoked. One can determine the revocation status of a certificate using the locally held CRL in CRL Monitor module or through the CDP/AIA extension based on the validation policy defined in Trust Manager > Validation Policy module
  • Any nameConstraints extensions are checked for permitted or excluded sub-trees
  • Name chaining is performed on the determined chain
  • If defined in the validation policy then policyMappings extension is checked

 Following image shows the ADSS SCVP Service's home page and sub-modules, details of which are given in the next sections:



The following sections describe how to configure the ADSS SCVP Service.

 

See also