Path Validation Settings
Path Validation Settings determine how the certificate chain (prepared via Path Discovery) will be validated.
Each element of the form is described below:
Items |
Description |
Use basic path validation |
This approach is not PKIX compliant and policy extensions are not checked in the certificates while validating. However it is a much faster method than other. Only these checks are performed in basic validation mode:
|
Use advanced path validation |
Select this option to perform PKIX compliant path validation. It strictly follows the PKIX algorithm and thus certificates that are not PKIX compliant cannot be validated. The following checks are performed in the advanced validation mode in addition to the basic path validation:
|
Use path validation via TSL |
If this radio button is enabled, then the path validation operation for qualified certificates will be performed against EU member state trusted lists using the validation policies mentioned in trust service (this includes the signer's certificate and certificates used to validate certificate validity status services - CRLs, OCSP, and time-stamps etc). |
Inhibit Policy Mapping |
The Inhibit Policy Mapping option controls whether policy mapping is allowed during certification path validation. The inhibitPolicyMapping item inhibits certificate policy mapping during certification path validation. |
Require Explicit Policy |
The requireExplicitPolicy item specifies an input to the certification path validation algorithm, and it controls that there must be at least one valid policy in the certificate policies extension. |
Inhibit anyPolicy |
The requireExplicitPolicy item specifies an input to the certification path validation algorithm, and it controls that there must be at least one valid policy in the certificate policies extension. |
Acceptable certificate policy OIDs |
The userPolicySet item specifies a list of certificate policy identifiers that the SCVP server MUST use when constructing and validating a certification path. The userPolicySet item specifies the user-initial-policy-set. A userPolicySet containing the anyPolicy OID indicates a user-initial-policy-set of any-policy. |
Permitted Subject Names |
The PKIX validation algorithm allows the client to set one or more subject names that MUST appear in the certificate chain. If the configured subjects are matched against the certificate chain then this check will be passed otherwise an error will be returned to the user. If multiple DNs are configured then an OR operator is used for validation. The Permitted Subject Names can be added, edited or removed by clicking on their respective buttons. For adding a new subject name, click on the Add button, it displays the following screen: Fill in the respective fields with the required subject name information and click on the Save button. |
Excluded Subject Names |
The PKIX validation algorithm allows the client to set one or more subject names that MUST NOT appear in the certificate chain. If the Permitted Subject Names checkbox is checked then this check is applied on the Permitted certificates otherwise any certificate that meets this criteria will be rejected. The Excluded Subject Names can be added, edited or removed by clicking on their respective buttons. For adding a new subject name, click on the Add button, it displays the following screen: Fill in the respective fields with the required subject name information and click on the Save button. |
Key Usages |
The Key Usages item indicates the technical usage of the public key that is to be confirmed by the server as acceptable. Key Usages with OR operator are shown in multiple lines in the Selected Key Usages while the Key Usages with AND operator are shown comma separated in a single line. |
Extended Key Usages |
The Extended Key Usages item indicates the application-specific usage of the public key that is to be confirmed by the server as acceptable. |
If you wish that user can set the value of any attribute in the request then check the relevant overridable checkbox.​Clicking the Next button will display the Advance Settings page. |
See also
Trust Anchor Settings
Signature Settings
Algorithms Settings
Path Discovery Settings
Advanced Settings