Certificate validation criteria

Certificates can be classified into the following types:

Device or server certificate (external to the appliance)

A device's certificate is considered valid when:

  • it is in X509 format, v1 or v3. X509 v3 is the preferred and recommended format for the device leaf-level certificates.

  • it has not expired. The validity period is indicated by the valid from and valid to fields.

    Expired and future-dated certificates are not considered as valid and you cannot import such certificates to the appliance.

  • it has an optional Key Usage extension.

    If the certificate contains a Key Usage extension, it must contain Digital signature and must not contain Certificate signing as one of the values.

    For self-signed certificates, this field is not validated.

    For CA-signed certificates, this field is validated.

  • it has an optional Extended Key Usage extension.

    If the certificate contains an Extended Key Usage extension, it must contain Server Authentication as one of the values.

  • it has an optional Basic Constraints extension.

    If the certificate contains a Basic Constraints extension, it must contain Subject Type set to End Entity and Path Length Constraint set to None.

  • it is signed by a signature algorithm, specified as supported by the appliance for external devices and servers. For example, an MD5 certificate is considered invalid.

  • it has a public key length, specified as supported by the appliance for external devices and servers. For example, 512-bit public key is invalid.

  • for external repository servers:

    • it has a Subject Alternative Name (SAN) field containing the key IP Address of the repository server, along with the required values. For example, IP Address=172.20.3.173.

    • For IPv6 repository addresses, it has a SAN field containing the key DNS Name and IP Address of the repository server, along with the required values. For example, DNS Name=[1::3] and IP Address=1::3.

CA certificate (root or intermediate CA)

A CA certificate (root or intermediate) is considered valid when

  • it is of X509 format, v1 or v3.

  • it has not expired. The validity period is indicated by the valid from and valid to fields.

    Expired and future-dated certificates are not considered as valid and you cannot import such certificates to the appliance.

  • it has an optional Key Usage extension. If the certificate contains a Key Usage extension, it must contain Certificate signing as one of the values.

  • it has an optional Extended Key Usage extension. If the certificate contains an Extended Key Usage extension, it is ignored.

  • it has an optional Basic Constraints extension. If the certificate contains a Basic Constraints extension, the Subject Type must be set to CA.

    Optionally, the certificate may contain a Path Length Constraint.

  • it is signed by a signature algorithm, specified as supported by the appliance for CA certificates. For example, an MD5 or an SHA-1 CA certificate are invalid.

  • it has a public key length, specified as supported by the appliance for CA certificates.

Appliance certificate

Appliance certificate is considered valid when

  • it is of X509 format, v1 or v3.

  • it has not expired. The validity period is indicated by the valid from and valid to fields.

    Expired and future-dated certificates are not considered as valid and you cannot import such certificates to the appliance.

  • it has an optional Key Usage extension.

    If the certificate contains a Key Usage extension, it must contain Digital signature as one of the values.

  • it has an optional Extended Key Usage extension.

    If the certificate contains an Extended Key Usage extension, it must contain Server Authentication and Client Authentication as the values.

  • it has an optional Basic Constraints extension. If the certificate contains the Basic Constraints extension, the values of Subject Type and Path Length Constraint must be set to End Entity and None, respectively.

  • it is signed by a signature algorithm, specified as supported by the appliance for the appliance certificate. For example, an MD5 or an SHA-1 certificates are invalid.

  • it has a public key length that is specified as supported by the appliance for the appliance certificate.

Client certificate used in two-factor authentication

A two-factor authentication client certificate is considered valid when

  • it is of X509 v3 format.

  • it has not expired. The validity period is indicated by the valid from and valid to fields.

    Expired and future-dated certificates are not considered as valid and you cannot import such certificates to the appliance.

  • it has an optional key usage extension.

    If the certificate contains a key usage extension, it must contain Digital signature as one of the values.

  • it has an optional Extended Key Usage extension.

    If the certificate contains an Extended Key Usage extension, it must contain Client Authentication and Smart Card Logon as the values.

  • it has an optional Basic Constraints extension. If the certificate contains the Basic Constraints extension, the values of Subject Type and Path Length Constraint must be set to End Entity and None, respectively.

  • it has a Subject Alternative Name (SAN) field that has Other name: Principal Name set to the User Principal Name (UPN) of the user logging in with two-factor authentication. An example of a UPN is firstname.lastname@example.com.

    Alternatively, the certificate has the SAN field, with either an email address of the user logging in or the common name.

    The domain component (base DN of directory) is part of either the Issuer or the Subject field (for example, dc=example,dc=com).

  • it is signed by a signature algorithm that is specified as supported by the appliance for external devices and servers. For example, an SHA-1 certificate is considered invalid.

  • it has a public key length that is specified as supported by the appliance for external devices and servers.

More information: