What is Trust Validation in SSL/TLS Certificate monitoring ?
Trust validation for certificates and certificate chains is conducted using OCSP (Online Certificate Status Protocol) and CRLDP (Certificate Revocation List Distribution Point). These methods ensure that the certificates used in secure communications are valid and have not been revoked.
Checks performed during trust validation
- Untrusted Root Validation:
- This check ensures that the domain's SSL/TLS certificate is signed by a trusted root certificate from the trust store. Certificates not signed by a trusted authority are flagged as untrusted.
- Certificate Revocation Check:
- This validation confirms whether the certificate has been revoked by its issuing authority, indicating it is no longer valid for secure communications.
- Incorrect Chain Order Check:
- This check ensures the correct order of certificates in the chain. Each certificate must be properly signed by its respective issuer, ensuring that the server certificate is appropriately linked to an intermediate or root certificate.
- Self-Signed Certificate Check:
- This validation determines if the certificate is self-signed, meaning the entity that issued the certificate is also its owner, rather than a recognized certificate authority (CA). Self-signed certificates may not be trusted for secure communications.
- Incomplete Certificate Chain Check:
- This check identifies if the certificate chain is incomplete. If the SSL domain only has a single certificate that is not self-signed and lacks the necessary intermediate certificate, it indicates an incomplete chain on the server.
Protocols and Their Role in Trust Validaion
- OCSP (Online Certificate Status Protocol):
- OCSP
enables real-time checking of a certificate's revocation status. During
validation, an OCSP request is sent to an OCSP responder, which replies
with the certificate's status as either "good," "revoked," or
"unknown."
- CRLDP (Certificate Revocation List Distribution Point):
- CRLDP uses Certificate Revocation Lists (CRLs), which are lists of revoked certificates published by the certificate authority (CA). The CRLDP specifies where the CRL can be retrieved, enabling systems to verify whether a certificate has been revoked.
New to ADSelfService Plus?
Related Articles
How to monitor SSL Certificate of FTPS server?
To monitor the SSL certificate of an FTPS server, Implicit mode is the recommended method. In this mode, the connection is automatically encrypted as soon as the client connects, making it ideal for monitoring SSL certificates. Implicit Mode (Default ...What is Blacklisted Certificates check in SSL/TLS Certificate monitoring ?
The blacklist check ensures that the server’s SSL/TLS certificate is not blacklisted by comparing its SHA-256 fingerprint with a list of known blacklisted certificates. This process helps identify certificates that are associated with cyberthreats or ...How to import certificates for monitoring DB2 Server with SSL authentication?
By default, if you want to use self-signed certificates for SSL connection then the certificate generated by the DB2 server will be db2server.arm. But our AppManager doesn't support arm files. So it has to be renamed as the db2server.cer and then ...Resolving Issues When Onboarding SSL-Enabled MySQL Database Servers
Error Message: Connections using insecure transport are prohibited while --require_secure_transport=ON Solution: To overcome this issue follow the steps given below: Execute the following query in the corresponding MySQL shell script: ALTER USER ...How to import certificates for monitoring Oracle database with SSL authentication?
For users using Applications Manager version 14250 and below: One-way SSL: (Client authentication disabled) 1. Open the command prompt using 'Run as administrator' option and navigate to the Applications Manager installation directory. 2. Import your ...