Path Validation Settings determine how the certificate chain (prepared via Path Discovery) will be validated.

Each element of the form is described below:

Items

Description

Use basic path validation

This approach is not PKIX compliant and policy extensions are not checked in the certificates while validating. However it is a much faster method than other. Only these checks are performed in basic validation mode:

  • Certificate Validation
  • Signature Verification
  • Revocation Status
  • Key Usages and Extended Key Usages

Use advanced path validation

Select this option to perform PKIX compliant path validation. It strictly follows the PKIX algorithm and thus certificates that are not PKIX compliant cannot be validated. 
The following checks are performed in the advanced validation mode in addition to the basic path validation:

  • initial-policy-set
  • initial-explicit-policy
  • initial-policy-mapping-inhibit
  • initial-inhibit-any-policy

Inhibit Policy Mapping

The Inhibit Policy Mapping option controls whether policy mapping is allowed during certification path validation. The inhibitPolicyMapping item inhibits certificate policy mapping during certification path validation.

Require Explicit Policy

The requireExplicitPolicy item specifies an input to the certification path validation algorithm, and it controls that there must be at least one valid policy in the certificate policies extension.

Inhibit anyPolicy

The inhibitAnyPolicy item specifies an input to the certification path validation algorithm and it controls whether the anyPolicy OID is processed or ignored when evaluating certificate policy.

Acceptable certificate policy OIDs

The userPolicySet item specifies a list of certificate policy identifiers that the XKMS server MUST use when constructing and validating a certification path. The userPolicySet item specifies the user-initial-policy-set. A userPolicySet containing the anyPolicy OID indicates a user-initial-policy-set of any-policy.

Permitted Subject Names

The PKIX validation algorithm allows the client to set one or more subject names that MUST appear in the certificate chain. If the configured subjects are matched against the certificate chain then this check will be passed otherwise an error will be returned to the user. If multiple DNs are configured then an OR operator is used for validation.

Excluded Subject Names

The PKIX validation algorithm allows the client to set one or more subject names that MUST NOT appear in the certificate chain. If the Permitted Subject Names checkbox is checked then this check is applied on the Permitted certificates otherwise any certificate that meets this criteria will be rejected.

Key Usages

The Key Usages item indicates the technical usage of the public key that is to be confirmed by the server as acceptable. Key Usages with OR operator are shown in multiple lines in the Selected Key Usages while the Key Usages with AND operator are shown comma separated in a single line.

Extended Key Usages

The Extended Key Usages item indicates the application-specific usage of the public key that is to be confirmed by the server as acceptable.


Clicking the Next button will display the Advanced Settings page.


See also

General Settings

Trust Anchor Settings
Path Discovery Settings
Advanced Settings