Validating certificates and applications

 

You can use Digital Certificate Manager (DCM) to validate individual certificates or the applications that use them. The list of things that DCM checks differs slightly depending on whether you are validating a certificate or an application.

Application validation

Using DCM to validate an application definition helps prevent certificate problems for the application when it is performing a function that requires certificates. Such problems might prevent an application either from participating successfully in a Secure Sockets Layer (SSL) session or from signing objects successfully.

When you validate an application, DCM verifies that there is a certificate assignment for the application and ensures that the assigned certificate is valid. Additionally, DCM ensures that if the application is configured to use a Certificate Authority (CA) trust list, that the trust list contains at least one CA certificate. DCM then verifies that the CA certificates in the application CA trust list are valid. Also, if the application definition specifies that Certificate Revocation List (CRL) processing occur and there is a defined CRL location for the CA, DCM checks the CRL as part of the validation process.

Certificate validation

When you validate a certificate, DCM verifies a number of items pertaining to the certificate to ensure the authenticity and validity of the certificate. Validating a certificate ensures that applications that use the certificate for secure communications or for signing objects are unlikely to encounter problems when using the certificate.

As part of the validation process, DCM checks that the selected certificate is not expired. DCM also checks that the certificate is not listed in a Certificate Revocation List (CRL) as revoked, if a CRL location exists for the CA that issued the certificate. In addition, DCM checks that the CA certificate for the issuing CA is in the current certificate store and that the CA certificate is enabled and therefore trusted. If the certificate has a private key (for example, server, client, and object signing certificates), then DCM also validates the public-private key pair to ensure that the public-private key pair match. In other words, DCM encrypts data with the public key and then ensures that the data can be decrypted with the private key.

 

Parent topic:

Managing DCM

Related concepts
Certificate Revocation List (CRL) Locations Validation