Discuss this help topic in SecureBlackbox Forum
Detect reason of certificate validation failure
Finding out the exact reason of certificate validation failure can be tricky, because validation is a complex process dependent on a number of internal and external factors.
A good place to start looking for is the validation log.
The log is provided in human-readable tree-like form, so you can easily detect the failing PKI tree branch.
The following reasons for certificate validation failure (returned by Validate()) are quite typical:
-
The chain or any subchain (originating from a CRL, OCSP or TSA certificate) ends with a root certificate that is not trusted.
A typical flag included in the Reason set for this kind of error is vrUnknownCA.
Also in this case the Validity value returned by Validate() equals to cvSelfSigned.
-
One or more validation elements (CRLs or OCSP) couldn't be obtained.
This is indicated by vrCRLNotVerified and/or vrOCSPNotVerified flags in the Reason set.
-
One or more of the root or intermediate CA certificate are missing (the validator can't find them).
Reason includes the vrUnknownCA flag.
-
One or more certificates forming the chain have an invalid signature.
vrInvalidSignature flag is reported by the Reason.
-
One or more certificates forming the chain serve the purpose they are not allowed to (e.g., an end-user certificate acts as a CA).
This is reported by included vrCAUnauthorized or vrNoKeyUsage flags.
-
The certificate doesn't correspond to its owner (e.g., wrong host is provided for a TLS certificate).
vrIdentityMismatch reason is reported in this case.
How To articles about TElX509CertificateValidator
Discuss this help topic in SecureBlackbox Forum
