What is Trust Validation in SSL/TLS Certificate monitoring ?
Trust validation for certificates and certificate chains is conducted using OCSP (Online Certificate Status Protocol) and CRLDP (Certificate Revocation List Distribution Point). These methods ensure that the certificates used in secure communications are valid and have not been revoked.
Checks performed during trust validation:
- Untrusted Root Validation:
- This check ensures that the domain's SSL/TLS certificate is signed by a trusted root certificate from the trust store. Certificates not signed by a trusted authority are flagged as untrusted.
- Certificate Revocation Check:
- This validation confirms whether the certificate has been revoked by its issuing authority, indicating it is no longer valid for secure communications.
- Incorrect Chain Order Check:
- This check ensures the correct order of certificates in the chain. Each certificate must be properly signed by its respective issuer, ensuring that the server certificate is appropriately linked to an intermediate or root certificate.
- Self-Signed Certificate Check:
- This validation determines if the certificate is self-signed, meaning the entity that issued the certificate is also its owner, rather than a recognized certificate authority (CA). Self-signed certificates may not be trusted for secure communications.
- Incomplete Certificate Chain Check:
- This check identifies if the certificate chain is incomplete. If the SSL domain only has a single certificate that is not self-signed and lacks the necessary intermediate certificate, it indicates an incomplete chain on the server.
Protocols and Their Role in Trust Validaion :
- OCSP (Online Certificate Status Protocol):
- OCSP
enables real-time checking of a certificate's revocation status. During
validation, an OCSP request is sent to an OCSP responder, which replies
with the certificate's status as either "good," "revoked," or
"unknown."
- CRLDP (Certificate Revocation List Distribution Point):
- CRLDP uses Certificate Revocation Lists (CRLs), which are lists of revoked certificates published by the certificate authority (CA). The CRLDP specifies where the CRL can be retrieved, enabling systems to verify whether a certificate has been revoked.
New to ADSelfService Plus?
Related Articles
How to monitor SSL Certificate of FTPS server?
Two modes to invoke client security in FTPS Explicit mode Implicit mode Explicit mode (Default port 21) - This port shouldn't be used In Explicit mode, an FTPS client must "explicitly request" security from an FTPS server by sending an FTP command ...How to import certificates for monitoring DB2 Server with SSL authentication?
By default, if you want to use self-signed certificates for SSL connection then the certificate generated by the DB2 server will be db2server.arm. But our AppManager doesn't support arm files. So it has to be renamed as the db2server.cer and then ...What is Blacklisted Certificates check in SSL/TLS Certificate monitoring ?
The blacklist check ensures that the server’s SSL/TLS certificate is not blacklisted by comparing its SHA-256 fingerprint with a list of known blacklisted certificates. This process helps identify certificates that are associated with cyberthreats or ...LDAP - Unable to find valid SSL Certificate
If there is an error while adding LDAP Server Monitor with the message "Unable to find valid SSL Certificate", then please try the below steps to troubleshoot the issue. When the error occurs we can find the below traces in the "stderr.txt.*" log ...Troubleshooting SSL Handshake Error
SSL Handshake Error SSL Handshake error occurs when a secure connection cannot be established to the URL added for monitoring. Common reasons for it are wrong SSL protocol version, incompatible ciphers, and invalid/missing client-side certificate. ...