Java validating a certificate

Certificate validation is implemented differently based on the application validating the certificate, the type of identity being validated (i.e.validating a certificate from a web server will differ from validating a signed e-mail), and configuration of the Windows computer performing the validation.In general, three main areas of a certificate are checked during validation: In many cases, certificates are designed to provide identification of the computer or person holding the corresponding private key.For example, when a user provides their Windows Live credentials to log on to a website the computer will validate that the certificate being used by the web server is authorized for the URL the user is accessing.As a side benefit, certificates published to clients provide additional configuration options to include configuration of cross-signing certificates, OCSP server address, extended validation options, and purpose limitation through the certificates snap-in or through Group Policy.Since root CAs do not have an issuer their certificate will not have all of the information available used to validate other types of certificates (i.e. Because of this, to establish trust with a root CA it must be installed in the trusted root certification authorities container (Root CA).

java validating a certificate-56java validating a certificate-5java validating a certificate-44java validating a certificate-54

When a key pair is renewed on a CA the new certificate should not use the same path as the original certificate unless the private key for the CA and the authority key identifier (AKI) are not changed as part of the renewal.

Validity of a certificate chain is confirmed by retrieving the issuer's certificate (by default from the certificate's AIA path) and comparing the issuing certificate's subject key identifier (SKI) entry with the issued certificate's AKI entry.

As discussed in part 2 of this series, the SKI is populated with one of three values: the serial number of the certificate, a unique ID assigned by the signing CA, or any manner of identification listed as part of the General Name data type.

This field contains the X.500 address (also referred to as the LDAP distinguished name) of the object whose identity is being asserted.

As mentioned in my previous blog entry on the X.509 certificate, this is a throw back to the roots and original intent for PKI: directory services.

As discussed in my post on the X.509 certificate, any version 3 certificate signed by a certification authority should have at least one entry under the "Authority Information Access" pointing clients towards a location where they can obtain the certificate of the signing CA to validate the relationship.

You must have an account to comment. Please register or login here!