ADSS Admin Guide

Items

Description

Use basic path validation

This approach is not PKIX compliant and policy extensions are not checked in the certificates while validating. However it is a much faster method than other.
Only these checks are performed in basic validation mode:

• Certificate Validation
• Signature Verification
• Revocation Status
• Key Usages and Extended Key Usages

Use advanced path validation

Select this option to perform PKIX compliant path validation. It strictly follows the PKIX algorithm and thus certificates that are not PKIX compliant cannot be validated.
The following checks are performed in the advanced validation mode in addition to the basic path validation:

• initial-policy-set
• initial-explicit-policy
• initial-policy-mapping-inhibit
• initial-inhibit-any-policy

Inhibit Policy Mapping

The Inhibit Policy Mapping option controls whether policy mapping is allowed during certification path validation. The inhibitPolicyMapping item inhibits certificate policy mapping during certification path validation.

Require Explicit Policy

The requireExplicitPolicy item specifies an input to the certification path validation algorithm, and it controls that there must be at least one valid policy in the certificate policies extension.

Inhibit anyPolicy

The inhibitAnyPolicy item specifies an input to the certification path validation algorithm and it controls whether the anyPolicy OID is processed or ignored when evaluating certificate policy.

Acceptable certificate policy OIDs

The userPolicySet item specifies a list of certificate policy identifiers that the SCVP server MUST use when constructing and validating a certification path. The userPolicySet item specifies the user-initial-policy-set. A userPolicySet containing the anyPolicy OID indicates a user-initial-policy-set of any-policy.

Permitted Subject Names

The PKIX validation algorithm allows the client to set one or more subject names that MUST appear in the certificate chain. If the configured subjects are matched against the certificate chain then this check will be passed otherwise an error will be returned to the user. If multiple DNs are configured then an OR operator is used for validation.

The Permitted Subject Names can be added, edited or removed by clicking on their respective buttons. For adding a new subject name, click on the Add button, it displays the following screen:

Fill in the respective fields with the required subject name information and click on the Add button.

Excluded Subject Names

The PKIX validation algorithm allows the client to set one or more subject names that MUST NOT appear in the certificate chain. If the Permitted Subject Names checkbox is checked then this check is applied on the Permitted certificates otherwise any certificate that meets this criteria will be rejected.

If the 'Apply on Certifcate Chain' checkbox is enabled, the excluded subject names will not only be checked for the certificates that are yet to be validated, but it will be checked for the entire certificate chain. 

The Excluded Subject Names can be added, edited or removed by clicking on their respective buttons. For adding a new subject name, click on the Add button, it displays the following screen:

Fill in the respective fields with the required subject name information and click on the Add button. 

Key Usages

The Key Usages item indicates the technical usage of the public key that is to be confirmed by the server as acceptable. Key Usages with OR operator are shown in multiple lines in the Selected Key Usages while the Key Usages with AND operator are shown comma separated in a single line.

Extended Key Usages

The Extended Key Usages item indicates the application-specific usage of the public key that is to be confirmed by the server as acceptable. The AND operator is used when multiple Extended Key Usage (EKU) values are selected. If any of the selected EKUs are not found in the certificate then a failed response is generated. If anyPurpose EKU is selected then any EKU value in the certificate is acceptable including no EKU.

If you wish that user can set the value of any attribute in the request then check the relevant overridable checkbox.