Discuss this help topic in SecureBlackbox Forum

Validate certificates

The SSL/TLS peer notifies the application about the certificates, received from the remote side, via OnCertificateValidate event.

The SSL component passes the application a reference to the certificate. The event is called for every certificate in the chain, received from the remote side. The first passed certificate is the topmost CA certificate, present in the list. The next one is the certificate, issued using the topmost CA certificate, and so on. The last certificate is the end-entity certificate.

The chain always contains at least one certificate. The application can handle the certificates in the following manner:

  • Check if Certificate's Chain property references a chain.
  • If the Chain property is empty, then the certificate is an end-entity certificate in SSL2 communication. Validate it as needed (see below).
  • If the reference is not empty, and the 0'th certificate in the chain is Certificate itself, then the application has got an end-entity certificate. The application needs to validate the whole certificate chain.
  • If the reference is not empty, and the 0'th certificate in the chain is not a Certificate, then the application has got an intermediate certificate. The application needs to report back to the client, that the certificate is valid, by setting Validate parameter to true.

As you noticed from the above description, the application starts validation only when it receives an end-entity certificate. When the application has this end-entity certificate, it has the whole certificate chain. For more information about certificate validation see the corresponding how-to article.

To report whether the certificate is valid or not valid, set Validate parameter of OnCertificateValidate event to either true or false accordingly.

If the certificate is not valid, SSL/TLS connection is not established.

How To articles about common SSL/TLS questions

Discuss this help topic in SecureBlackbox Forum