Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Dell SmartFabric OS10 User Guide Release 10.5.3

PDF

PKI certificate validation

The PKI certificate validation feature allows you to validate the following certificates:

  • A PKI certificate that is already installed as a host certificate.
  • A PKI certificate that is already installed as a CA certificate in the trust store.
  • A host certificate, during its installation process. If validation fails, the host certificate is not installed.

The PKI certificate feature also allows acceptance of self-signed certificates from trusted servers. If validation fails, the host certificate and host key are not installed. The crypto ca-cert install command permits the installation of self-signed certificates of trusted servers during certificate validation.

This feature performs validation against either an existing installed PKI certificate or against a PKI certificate that is yet to be installed. If you use certificate revocation lists (CRLs) to verify the PKI certificates, there is no interaction with an external server. If you use the online certificate status protocol (OCSP) to verify the PKI certificates, OCSP uses the URL in the Authority-Information-Access field in the certificate and sends an OCSP request.

If the CRL DP (CRL distribution point) field is present in the certificate to be verified, its contents are used to fetch the CRL from its location.

If the Authority-Information-Access field is present, its contents are used to send a request to the OCSP server and await a response.

The CRL is pulled from its HTTP site or connects to an OCSP server; but some external server is contacted for up-to-date revocation information.

There are several reasons that cause the certificate validation to fail:

  • An invalid not before date is present in the certificate.
  • An invalid not after date is present in the certificate.
  • A host certificate with the basicConstraints CA flag set to true.
  • A certificate chain exists (for signed certificates), which cannot be validated.
  • The PKI certificate is revoked.

During installation of a CA certificate, the certificate must be a CA signer; several fields are validated to check whether the certificate is a CA signer or not.

The trusted host must be self-signed and not capable of signing other certificates.

In all failure scenarios, an audit log entry that specifies the reason for the certificate validation failure is present. If the validation action succeeds, an audit log entry indicating success certificate validation must be present. The commonName (if present) or subjectAltName (if present) corresponding to the certificates must be present in all audit log entries for that action.

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\