TRUSTED CERTIFICATE CHECKERS <policy><validate><certificate><trustedcertificate> |
CertificateDateChecker | Validates that the validity period in the certificate covers the validation time. |
SelfSignatureChecker | Validates that the signature in the certificate is created by the public key in the certificate. |
CERTIFICATE SELF CHECKERS <policy><validate><certificate><self> |
CertificateDateChecker | Validates that the validity period in the certificate covers the validation time. |
CertificateExtensionChecker | Validates that the extension information in the certificate is compatible with RFC 5280. |
PositiveSerialNumberChecker | Validates that the certificate serial number is positive integer. |
SignatureAlgConsistencyChecker | Validates thet the signature algorithms in the certificate are matching. |
VersionChecker | Validates that the version information in the certificate is compatible with RFC 5280. |
QualifiedCertificateChecker | Validates that the certificate has qualified certificate properties. |
| Parameters | statementoids | Given oids is required in the certificate. In some cases multiple oids are required. You can combine multiple oids with AND or OR relation. Different oids are used in differnet countries. In such cases, oids are combined with OR relation. ( i.e. "(0.4.0.1862.1.1 AND 2.16.792.1.61.0.1.5070.1.1) OR (4.3.2.1 AND 1.2.3.4)") |
CERTIFICATE CHAIN CHECKERS <policy><validate><certificate><issuer> |
BasicConstraintCAChecker | Validates that the basic constraints extension in the issuer certificate is compatible with RFC 5280. |
CertificateKeyUsageChecker | Validates that the key usage extension in the issuer certificate is compatible with RFC 5280. |
CertificateNameChecker | Validates that the issuer information in the certificate is matching with the subject information in the issuer certificate. |
CertificateSignatureChecker | Validates that the signature in the certificate is created by the issuer certificate by cryptographic verification. |
KeyIdentifierChecker | Validates that the authority key identifier extension in the certificate is matching with the subject key identifier extension in the issuer certificate. |
NameConstraintsChecker | Validates that the relation between subject information in the certificate and the name constraints extension in the issuer certificate is compatible with RFC 5280. |
PathLenConstraintChecker | Validates that the path length constraints extension in the issuer certificate is compatible with RFC 5280. |
PolicyConstraintsChecker | Validates that the policy constraints extension in the issuer certificate is compatible with RFC 5280. |
CERTIFICATE REVOCATION CHECKERS <policy><validate><certificate><revocation> |
RevocationFromCRLChecker | Performs revocation control of a certificate by looking at the corresponding CRL. |
| Parameters | cevrimdisicalis | [true,false*]
Indicates that the validation is performed offline. When specified as True, revocation checker return successful result iven if it can not find any crl. This parameter is defined in order to validate certificates in offline environments where online crls are not available. Must be used with care! |
checkAllCRLs | [true,false*]
Normally, it is enough to check one valid CRL for the revocation control of a certificate from a crl. In some cases, user may want to check all crls that can be found by the finders. If so, this parameter must be set to true. |
devam | [true,false*]
If it is true, then the validation process continues to the next crl even if the control for the current crl completed successfully. |
RevocationFromOCSPChecker | |
| Parameters | devam | [true,false*]
If it is true, then the validation process continues to the next ocsp response even if the control for the current ocsp response completed successfully. |
CRL SELF CHECKERS <policy><validate><crl><crlself> |
CRLDateChecker | Validates that the validity period in the crl covers the validation time. |
CRLExtensionChecker | Validates that the extension information in the crl is compatible with RFC 5280. |
CRL CHAIN CHECKERS <policy><validate><crl><crlissuer> |
CRLKeyUsageChecker | Validates that the key usage extension in the issuer crl certificate is compatible with RFC 5280. |
CRLSignatureChecker | Validates that the signature in the crl is created by the crl issuer certificate by cryptographic verification. |
DELTA CRL CHECKERS <policy><validate><deltacrl> |
FreshestCRLChecker | Validates that the freshest crl extension in the delta crl is compatible with RFC 5280. |
DeltaCRLIndicatorChecker | Validates that the delta crl indicator extension in the delta crl is compatible with RFC 5280. |
OCSP RESPONSE CHECKERS <policy><validate><ocsp> |
SigningCertificateChecker | Validates the ocsp response signing certificate. |
OCSPSignatureChecker | Validates that the signature in the ocsp response is created by the oscp issuer certificate by cryptographic verification. |
ResponseStatusChecker | Validates that the response status information in the ocsp response is valid. |
OCSPResponseDateChecker | Validates that the validity period in the ocsp response covers the validation time. |