The CertificateValidationOptionscontrol the process used to validate a Certificate. Any Certificatecan have validation options associated. If none are specified, the ValidationOptionsfor the store or list containing the Certificateare used. The possible options are shown in Table E.6. Note that suppressing any validation step can create security risks which are discussed in more detail in OPC 10000-2. An audit log entry shall be created if any error is ignored because a validation option is suppressed.

Table E.6– CertificateValidationOptions

Field

Bit

Description

SuppressCertificateExpired

0

Ignore errors related to the validity time of the Certificateor its issuers.

SuppressHostNameInvalid

1

Ignore mismatches between the host name or ApplicationUri.

SuppressRevocationStatusUnknown

2

Ignore errors if the issuer’s revocation list cannot be found.

CheckRevocationStatusOnline

3

Check the revocation status online.

If set the validator will look for the URL of the CRL Distribution Point in the Certificateand use the OCSP (RFC 6960) to determine if the Certificatehas been revoked.

If the CRL Distribution Point is not reachable then the validator will look for offline CRLs if the CheckRevocationStatusOffinebit is set. Otherwise, validation fails.

This option is specified for Issuer Certificatesand used when validating Certificates issued by that Issuer.

CheckRevocationStatusOffline

4

Check the revocation status offline.

If set the validator will look a CRL in the Certificate Storewhere the CA Certificatewas found.

Validation fails if a CRL is not found.

This option is specified for Issuer Certificatesand used when validating Certificatesissued by that Issuer.

UseDefaultOptions

5

If set the CertificateValidationOptionsfrom the CertificateListshall be used.

If a Certificatedoes not belong to a CertificateListthen the default is 0 for all bits.