Certificates,in short, a digital data that cryptographically binds a key pair and any information (identity info, authority info, role etc.) in a provable and undeniable way. Data signing, encyption , authentication are some of the basic PKI operations that can be performed with the key pair in certificates. The credibility of the certificate stems from the inimitable signature issued by trusted authority (CA). This signature is included in the certificate and can be verified when needed. The CA can either be the source of the trust itself or its trust can come from another trusted authority (Root CA ) via CA certificate issued by the Root CA. The Root CA has trust on its own and its certificate issued by itself. The certificates that are not used for certificate signing and used for other purposes are called as user certificates. For a user certificate, the chain of certificates starting from that certificate, going thorugh the certificate issuance relation and ending at the Root CA's certificate is named as certificate chain. In order for a user certificate to be trusted, firstly, a certificate chain starting from the user certificate and ending at a trusted CA or Root CA's certificate must exist. The total process of checking if a certificate can be trusted and valid and therefore can be used for the applied job is called certificate validation.

In order to provide a common structure for the certificates published for different purposes all over world, there are some standards defined the most widely accepted of which is X.509. In X.509 standard, certificates and CRLs are defined with their structural details. RFC 5280 document contains X.509 standard and it also includes a description of the validation process of X.509 certificates.

Certificate Authorities (CAs) beside issuing certificates, can revoke them due to several reasons. In that case these certificates become invalid and can not be trusted anymore. For example, when the private key of a certificate is acquired by unwanted people, due to the notification of this to the corresponding CA, the CA performs the revocation of the certificate. In order for user certificates to be validated in a secure manner, the revocation information of those certificates must be securely and easily accessible. Two methods are used for this, one is the online certificate status protocol (OCSP) in which the status of the certificates are queried online and the other one is CRLs in which the revoked certificates are periodically published in a file. These two methods, like certificates, are defined by standards commonly accepted and complied all over the world.

OCSP,defined in RFC 2560, is a protocol which enables querying of one or more certificates' revocation status information online. The protocol is initiated by an OCSP request and ends with an OCSP response generated by an OCSP server which includes the validity status ofthe queried certificates.OCSP queries can not be performed for expired certificates. For more details about the protocol, see the RFC 2560 document.

The structural details of CRL files is specified in X509 standard. A CRL mainly consists of a list of serial numbers of revoked certificates and a signature of this list created by the CA or any other authority assigned by the CA. Expired certificates are not listed in CRL. When a CRL is checked upon revocation control of a certificate, firstly, its X509 compatibility and signature must be validated which is called CRL validation. For detailed information about CRL files RFC 5280 can be seen.

Certificate and CRL validation consist of two phases namely path building and path validation. Creating a certificate chain starting from the certificated or crl to be validated and ending at a certificate of a trusted authority is called path building. The validation of the all certificates and the chain relation in a certificate chain is called path validation.

The validation of the certificates in the chain is called structural validation and the validation of the chain relation is called chain validation. In structural validation the certificates or the crl is checked if it satisfies the structural characteristics specified in X509. In other words, the information in the certificate or crl is validated according to the standard. For example, it is checked if the certificate has a serial number and it is a positive number. The validity period included in the certificate is checked if it covers the validation time which is another example of structural validation operations.

ESYA Certificate Validation API checks for all structural specifications included in RFC 5280 within the structural validation. It performs the path building algorithm described in RFC 4158 and the path validation algorithm described in RFC 5280.

Path building algorithm is described in RFC 4158 in detail. The algorithm starts from an initial certificate, which is the certificate to be validated, and iteratively add the issuer of the certificate to the certificates chain until a trusted root certificate is reached. For examplei let us consider the certificate tree demonstrated in the figure below;

In the tree, the certificate named as TA is the certificate of a trusted CA. In this case, path building algorithm creates a certificate chain for E, starting from E,including B , A or C and ending at TA.

The certificate chain: EE → B → A → TA

The chain created by the path building algorithm must be validated. The path validation algorithm is described by the flow diagram as follows:

For more details about Certificate Processing amd Finalization Steps shown in the figure exist in RFC 5280. In sort, it includes a set of structural and cryptografic validations.

CRL validation is almost the same as certificate validation. The only difference is the first element of the certificate chain is the certificate to be validated in certificate validation whereas the first element is the crl to be validated in crl validation.