Multiple validation policies can be established for each registered CA by applying a range of advanced validation options. Validation policies can also be defined for non-registered intermediate CAs.

When trying to discover the certificate path between an X.509 digital certificate and a trusted root, the ADSS SCVP Service performs the following actions in the given order:

• Builds a path using the Local Trust Anchor (i.e. ascertains a path among all certificate authorities that are registered in the ADSS Server's Trust Manager module)
• By using the intermediate certificates/Trust Anchor, sent in the SCVP request to the ADSS SCVP Service
• By using the subject certificate's AIA extension
• By using the certificates found in the configured LDAP repositories

Once the certification path is discovered/determined then it is validated using the following tests:

• All certificates are checked to ensure they are not expired
• All certificates are checked to make sure they are not revoked. One can determine the revocation status of a certificate using the locally held CRL in CRL Monitor module or through the CDP/AIA extension based on the validation policy defined in Trust Manager > Validation Policy module
• Any nameConstraints extensions are checked for permitted or excluded sub-trees
• Name chaining is performed on the determined chain
• If defined in the validation policy then policyMappings extension is checked

 Following image shows the ADSS SCVP Service's home page and sub-modules, details of which are given in the next sections:

The following sections describe how to configure the ADSS SCVP Service.

Configuring the SCVP Service

Access Control

Transactions Log Viewer

Logs Archiving

Alerts

Management Reporting

Operating the SCVP Service in FIPS 201 Compliant Mode

SCVP Service Interface URLs