Restriction and limitation
- The PKI certificate feature must be usable on any platform running SmartFabric OS10. The validation commands do not modify the file system or certificates.
The PKI certificate validation feature allows you to validate the following certificates:
The PKI certificate feature also allows acceptance of self-signed certificates from trusted servers. If validation fails, the host certificate and host key are not installed. The crypto ca-cert install command permits the installation of self-signed certificates of trusted servers during certificate validation.
This feature performs validation against either an existing installed PKI certificate or against a PKI certificate that is yet to be installed. If you use certificate revocation lists (CRLs) to verify the PKI certificates, there is no interaction with an external server. If you use the online certificate status protocol (OCSP) to verify the PKI certificates, OCSP uses the URL in the Authority-Information-Access field in the certificate and sends an OCSP request.
If the CRL DP (CRL distribution point) field is present in the certificate to be verified, its contents are used to fetch the CRL from its location.
If the Authority-Information-Access field is present, its contents are used to send a request to the OCSP server and await a response.
The CRL is pulled from its HTTP site or connects to an OCSP server; but some external server is contacted for up-to-date revocation information.
There are several reasons that cause the certificate validation to fail:
During installation of a CA certificate, the certificate must be a CA signer; several fields are validated to check whether the certificate is a CA signer or not.
The trusted host must be self-signed and not capable of signing other certificates.
In all failure scenarios, an audit log entry that specifies the reason for the certificate validation failure is present. If the validation action succeeds, an audit log entry indicating success certificate validation must be present. The commonName (if present) or subjectAltName (if present) corresponding to the certificates must be present in all audit log entries for that action.