The ADSS SCVP Service supports the RFC 5055 Server-based Certificate Validation Protocol (SCVP), a protocol for determining the path between an X.509 digital certificate and a trusted root; and the validation of that path according to a particular validation policy. ADSS SCVP Service supports two modes of operation which may be used in combination or separately:

  • Delegated Path Discovery (DPD) - used to discover the path between the subject certificate and a trusted root, and
  • Delegated Path Validation (DPV) - to validate the path according to a pre-defined validation policy in ADSS SCVP Service.


Multiple validation policies can be established for each registered CA by applying a range of advanced validation options. Validation policies can also be defined for non-registered intermediate CAs.


Delegated Path Discovery (DPD)


When trying to discover the certificate path between an X.509 digital certificate and a trusted root, the ADSS SCVP Service performs the following actions in the given order:

  • Builds a path using the Local Trust Anchor (i.e. ascertains a path among all certificate authorities that are registered in the ADSS Server's Trust Manager module)
  • By using the intermediate certificates/Trust Anchor, sent in the SCVP request to the ADSS SCVP Service
  • By using the subject certificate's AIA extension
  • By using the certificates found in the configured LDAP repositories



Delegated Path Validation (DPV)


Once the certification path is discovered/determined then it is validated using the following tests:

  • All certificates are checked to ensure they are not expired
  • All certificates are checked to make sure they are not revoked. One can determine the revocation status of a certificate using the locally held CRL in CRL Monitor module or through the CDP/AIA extension based on the validation policy defined in Trust Manager > Validation Policy module
  • Any nameConstraints extensions are checked for permitted or excluded sub-trees
  • Name chaining is performed on the determined chain
  • If defined in the validation policy then policyMappings extension is checked


 Following image shows the ADSS SCVP Service's home page and sub-modules, details of which are given in the next sections:



The following sections describe how to configure the ADSS SCVP Service:


See also

ADSS Server Knowledge Base

Welcome
Getting Started
Concepts & Architecture
ADSS RA Service
ADSS Certification Service
ADSS Signing Service

ADSS Go>Sign Service
ADSS RAS Service
ADSS SAM Service
ADSS CSP Service
ADSS TSA Service
ADSS Verification Service
ADSS OCSP Monitor
ADSS OCSP Service
ADSS XKMS Service
ADSS LTANS Service
ADSS HMAC Service
ADSS Decryption Service
ADSS OCSP Repeater Service
ADSS NPKD Service
ADSS SPOC Service
Manage CAs
Key Manager
Trust Manager
ADSS CRL Monitor
Global Settings
Access Control
Client Manager
System Log Viewer
Server Manager
Approval Manager
Operational Management
Advanced Configuration