Errata exists for this version of the document.

The CertificateValidationOptions control the process used to validate a Certificate. Any Certificate can have validation options associated. If none are specified, the ValidationOptions for the store or list containing the Certificate are used. The possible options are shown in Table E.6. Note that suppressing any validation step can create security risks which are discussed in more detail in OPC 10000-2. An audit log entry shall be created if any error is ignored because a validation option is suppressed.

Table E.6 – CertificateValidationOptions

Field

Bit

Description

SuppressCertificateExpired

0

Ignore errors related to the validity time of the Certificate or its issuers.

SuppressHostNameInvalid

1

Ignore mismatches between the host name or ApplicationUri.

SuppressRevocationStatusUnknown

2

Ignore errors if the issuer’s revocation list cannot be found.

CheckRevocationStatusOnline

3

Check the revocation status online.

If set the validator will look for the URL of the CRL Distribution Point in the Certificate and use the OCSP (RFC 6960) to determine if the Certificate has been revoked.

If the CRL Distribution Point is not reachable then the validator will look for offline CRLs if the CheckRevocationStatusOffine bit is set. Otherwise, validation fails.

This option is specified for Issuer Certificates and used when validating Certificates issued by that Issuer.

CheckRevocationStatusOffline

4

Check the revocation status offline.

If set the validator will look a CRL in the Certificate Store where the CA Certificate was found.

Validation fails if a CRL is not found.

This option is specified for Issuer Certificates and used when validating Certificates issued by that Issuer.

UseDefaultOptions

5

If set the CertificateValidationOptions from the CertificateList shall be used.

If a Certificate does not belong to a CertificateList then the default is 0 for all bits.