The CertificateValidationOptions control the process used to validate a Certificate. Any Certificate can have validation options associated. If none are specified, the ValidationOptions for the store or list containing the Certificate are used. The possible options are shown in Table E.6. Note that suppressing any validation step can create security risks which are discussed in more detail in OPC 10000-2. An audit log entry is created if any error is ignored because a validation option is suppressed.
Table E.6 – CertificateValidationOptions
Field |
Bit |
Description |
SuppressCertificateExpired |
0 |
Ignore errors related to the validity time of the Certificate or its issuers. |
SuppressHostNameInvalid |
1 |
Ignore mismatches between the host name or ApplicationUri. |
SuppressRevocationStatusUnknown |
2 |
Ignore errors if the issuer’s revocation list cannot be found. |
CheckRevocationStatusOnline |
3 |
Check the revocation status online. If set, the validator will look for the authorityInformationAccess extension to find an OCSP (RFC 6960) endpoint which can be used to determine if the Certificate has been revoked. If the OCSP endpoint is not reachable then the validator will look for offline CRLs if the CheckRevocationStatusOffine bit is set. Otherwise, validation fails. This option is specified for Issuer Certificates and used when validating Certificates issued by that Issuer. |
CheckRevocationStatusOffline |
4 |
Check the revocation status offline. If set the validator will look a CRL in the Certificate Store where the CA Certificate was found. Validation fails if a CRL is not found. This option is specified for Issuer Certificates and used when validating Certificates issued by that Issuer. |
UseDefaultOptions |
5 |
If set the CertificateValidationOptions from the CertificateList is used. If a Certificate does not belong to a CertificateList then the default is 0 for all bits. |