Certificate Validation and the Validation Client

This section describes the operation of the Validation Client.

Components

The following figure represents a simplified architecture depicting the interaction of a Validation Client user and an OCSP responder:

As depicted in the figure, the Validation Client components perform all communication between CAPI and the OCSP responder.

Concept of Operation

The following summary describes the operation of the components depicted in the figure above:

  1. A user application, such as Microsoft Outlook or Adobe Acrobat, receives a digital certificate and asks CAPI to validate the current revocation status of that certificate and to check that it is trusted.

  2. CAPI verifies that the certificate is trusted (the certificate is not expired and can be chained to a trusted issuer). CAPI passes the request for revocation status checking to the Validation Client Plug-in.

  3. The Validation Client Plug-In relays the request to the Validation Client Service.

  4. The Validation Client Service constructs an OCSP request and determines the OCSP responder to which it will send the request.

  5. The Validation Client Service sends the request to the OCSP responder and waits for a response. If no response is received, the Validation Client Service sends the request to the next OCSP responder that it is configured to query.

  6. After receiving an OCSP response, the Validation Client Service verifies the response (see Section OCSP Response Acceptance Considerations for more information) and returns the certificate status to the Validation Client Plugin. If the response cannot be used to determine the certificate status, the Validation Client Service sends the request to the next OCSP responder that it is configured to query.

  7. The Validation Client Plug-in returns the status of the certificate to CAPI.

  8. The Validation Client Monitor displays the certificate status to the user in a pop-up dialog box. The status dialog includes certificate status (Good, Revoked, Unknown), or information about a problem that has prevented the Validation Client from determining the certificate status.

    For example, if the certificate is valid, the Validation Client displays a dialog similar to the following:

    Graphical user interface, text, application, chat or text message Description automatically generated

  9. CAPI returns the status to the calling application.