Validators are applied to CA's to validate the issuance of certificates, based on key strength, origin or on other values inherent to the certificate issued. To apply a validation to the certificate issuance process, select the appropriate Validator in the Edit CA screen, causing it to be called at the appropriate phase of the certificate issuance process. Additionally, validators can be restricted to only run for certain certificate profiles.

Note that a validator is executed every time a new certificate is issued if the validator has been selected in the Edit CA screen and the certificate profile of the certificate being issued is enabled in the Edit Validator screen.

Validators are applied for one of the defined phases in the certificate issuance process:

  • Data validation after all required data for the certificate issuance was collected but before the certificate was generated.
  • Pre-certificate validation after the CT pre-certificate was generated but not submitted to CT logs, and before the final certificate is issued and stored (works with CT only).
  • Certificate validation after the certificate was generated but not stored and issued.

To explore Validators, select the Validators menu option under the CA Functions header.

Validation can also be performed manually using the Validation/Conformance Check Tool to perform custom validation on a sample of certificates. For more information, see EJBCA Validation/Conformance Tool.

Audit Logging

All validation results are audit logged and also logged in the server logs for more detail (log level can be configured).

Validator Types

Common Validator Settings 

To control the behavior during certificate issuance, the following base restrictions can be applied per validator:

DescriptionA general description of the Validator, not used for any validation purposes.
Apply for Certificate ProfilesValidate keys for these certificate profiles only. If nothing is selected in this list, no validation will be performed.
Apply for all Certificate ProfilesValidate keys for all certificate profiles, the list above will be ignored.
If Validation failedDefine behavior if key validation fails (e.g. abort issuance, log error message to trigger monitoring systems, etc.). All failed issuance also adds a record in the security audit log.
If Validator was not applicable Define behavior if the input is not applicable for the selected validator (for example, abort issuance, log error message to trigger monitoring systems, etc.). This handles the case when for example a CSR with ECC keys is passed to an RSA key validator.