Path Discovery Settings are used to configure how the path for the target certificate will be built up to the root CA.  In particular it places constraints on where the necessary additional certificates can be found. See the image below: 

Each element of the form is described below:

Items

Description

Use basic path discovery

Basic Path Discovery provides just two options for finding the additional certificates required for path building. The options are (1) certificates registered in Trust Manager, and (2) intermediate certificates found in the verification service request. 

Use advanced path discovery

Advanced Path Discovery adds two further options for finding the additional certificates required for path building. The additional options are (3) certificates retrieved using the subject certificate's AIA extension and (4) certificates present in an LDAP repository.

Build path using certificates registered in ADSS Trust Manager

This option is automatically selected under basic and advanced path discovery options. ADSS Server starts path discovery using the TAs registered within Trust Manager.

Build path using certificates provided in request

This option is selected by-default under basic and advanced path discovery options. The path is built using the intermediate certificates found in the request.

Note: The Root CA certificate must be registered in Trust Manager if you want path discovery using the intermediate certificates provided in the request.

Build path using Subject certificate's AIA extension

This option is selected by default under the advanced path discovery option. If the path is not built using the Trust Manager and/or intermediate certificates found in the request or using the LDAP repository then the system will use the value of Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) from the Authority Information Access (AIA) extension if it exists in the target certificate.

Note: The Root CA must be registered in ADSS Trust Manager if you want path discovery using AIA.

Build path using certs found in locally-configured LDAP directories

Select this option if you want the path discovery using configured LDAP repositories. Configure the LDAP repository address(es) from where the intermediate certificates can be found.

Note: The Root CA must be registered in ADSS Trust Manager if you want path discovery using LDAP repositories.

Build and validate certificate path up to any CA registered in ADSS Trust Manager

Select this option when path building of the target/signer certificate is only required up to any registered CA certificate and path building to a self-signed root CA is not required.

Build and validate certificate path up to a self-signed Root CA registered in ADSS Trust Manager

Select this option when path building of the target/signer certificate is required to be chained right up to a self-signed root CA already registered in ADSS Trust Manager.


Clicking the Next button will display the Path Validation Settings page.


See also

General Settings

Trust Anchor Settings
Signature Settings
Algorithms Settings
Path Validation Settings
Advanced Settings