Path Validation Settings
Path Validation Settings determine how the certificate chain (prepared via Path Discovery) will be validated.
Each element of the form is described below:
Items |
Description |
Use basic path validation |
This approach is not PKIX compliant and policy extensions are not checked in the certificates while validating. However it is a much faster method than other.
|
Use advanced path validation |
Select this option to perform PKIX compliant path validation. It strictly follows the PKIX algorithm and thus certificates that are not PKIX compliant cannot be validated.
|
Inhibit Policy Mapping |
The Inhibit Policy Mapping option controls whether policy mapping is allowed during certification path validation. The inhibitPolicyMapping item inhibits certificate policy mapping during certification path validation. |
Require Explicit Policy |
The requireExplicitPolicy item specifies an input to the certification path validation algorithm, and it controls that there must be at least one valid policy in the certificate policies extension. |
Inhibit anyPolicy |
The inhibitAnyPolicy item specifies an input to the certification path validation algorithm and it controls whether the anyPolicy OID is processed or ignored when evaluating certificate policy. |
Acceptable certificate policy OIDs |
The userPolicySet item specifies a list of certificate policy identifiers that the SCVP server MUST use when constructing and validating a certification path. The userPolicySet item specifies the user-initial-policy-set. A userPolicySet containing the anyPolicy OID indicates a user-initial-policy-set of any-policy. |
Permitted Subject Names |
The PKIX validation algorithm allows the client to set one or more subject names that MUST appear in the certificate chain. If the configured subjects are matched against the certificate chain then this check will be passed otherwise an error will be returned to the user. If multiple DNs are configured then an OR operator is used for validation. |
Excluded Subject Names |
The PKIX validation algorithm allows the client to set one or more subject names that MUST NOT appear in the certificate chain. If the Permitted Subject Names checkbox is checked then this check is applied on the Permitted certificates otherwise any certificate that meets this criteria will be rejected. |
Key Usages |
The Key Usages item indicates the technical usage of the public key that is to be confirmed by the server as acceptable. Key Usages with OR operator are shown in multiple lines in the Selected Key Usages while the Key Usages with AND operator are shown comma separated in a single line. |
Extended Key Usages |
The Extended Key Usages item indicates the application-specific usage of the public key that is to be confirmed by the server as acceptable. The AND operator is used when multiple Extended Key Usage (EKU) values are selected. If any of the selected EKUs are not found in the certificate then a failed response is generated. If anyPurpose EKU is selected then any EKU value in the certificate is acceptable including no EKU. |
If you wish that user can set the value of any attribute in the request then check the relevant overridable checkbox. |
Clicking the Next button will display the Advanced Settings page.
See also
Trust Anchor Settings
Path Discovery Settings
Advanced Settings