The Default Validation Service has a set of Validators. A validator is responsible for checking the validity against one or more issuers, using for example CRL check or OCSP, or by checking a database.
The Default Validation Service supports validations to be cached for some or all issuers for a specified amount of time. If not configured otherwise, the validation service uses the DefaultX509CertTypeChecker that determines the certificate type from the key usage in the certificate.
Key Encipherment and Digital Signature indicates an IDENTIFICATION type, and Non-reputation and/or Digital Signature indicates ELECTRONIC_SIGNATURE.
The validation specific Web Service can be used for platform independent client calls. The Web Service WSDL file is located at the URL:
The file contains two calls:
- isValid: Performs the validation check.
- getStatus: Checks the health of the node and its underlying systems. Can be used by clients for monitoring or implementing redundancy.
The following property types can be configured with the DefaultValidationService:
- General Properties: Apply for the service and all configured validators.
- Validator Properties: Only apply for a specific validator.
- Issuer Properties; Only apply for an issuer configured in a specific validator.
|CACHEDISSUERS||A ';' separated list of issuer names (usually issuer DNs). Optional, no validation is cached if unset.|
|CERTTYPECHECKER||Certificate type checker used to determine the type of certificate. Optional, default is org.signserver.validationservice.server.DefaultX509CertTypeChecker-|
|TIMEINCACHE||Time in seconds that a certificate validation should be cached. Optional, default is 10 seconds.|
Validator properties are specified using the prefix of
<validatorId> is an integer between 1 and 255. For example, to specify the type of a validator with an ID of 1:
This validator will be initialized with all its validator specific properties, (with
val<id>. prefix removed), as well as the general ones.
Fully qualified class name of the validator that should be used. Required for each configured validator.
Issuer properties: Issuer properties are specified as
CERTCHAIN = The certificate path of the CA certificates used to verify the certificate. Should be a appended BASE64 string. Required for each configured issuer.
Example configuration of a validation service:
# Set up the worker -> validation service wrapper WORKER1.IMPLEMENTATION_CLASS=org.signserver.validationservice .server.ValidationServiceWorker #Uncomment and set class path to custom validation service, otherwise is default #used. #WORKER1.TYPE= # Name of Service (Optional) WORKER1.NAME=ValidationService1 # Define TestCA2 and TestCA3 as a cached for 15 seconds, TestCA1 is Not cached. WORKER1.CACHEDISSUERS=CN=TestCA2;CN=TestCA3 WORKER1.TIMEINCACHE=15 # Define a validator in charge of issuer TestCA1 and TestCA2 WORKER1.VAL1.CLASSPATH=<Class path to some validator> WORKER1.VAL1.ISSUER1.CERTCHAIN=EFWAASDFADFASDFKASDKFW1231..... WORKER1.VAL1.ISSUER2.CERTCHAIN=EFWAASDFADFASDFKASDKFW1231..... # Define a validator in charge of issuer TestCA3 WORKER1.VAL2.CLASSPATH=<Class path to some validator> WORKER1.VAL2.ISSUER1.CERTCHAIN=EFWAASDFADFASDFKASDKFW1231.....