Validation Client Features

This section summarizes the components and key features of the Desktop Validation Client.

Software Components

The software components that comprise the Desktop Validation Client are:

  • Validation Client Service – The Validation Client Service is a Microsoft Windows Service that provides all certificate validation functionality, including validation and certificate revocation status checking using OCSP.

  • Validation Client CAPI Plug-in – The Validation Client CAPI plug-in provides digital certificate validation support for the Microsoft Cryptographic API (CAPI). Windows applications use CAPI to determine the revocation status of certificates such as those received in digitally signed e-mail messages or from a web server. The plug-in communicates directly with the Validation Client Service to determine the revocation status of these certificates.

  • Validation Client Management Console – The Validation Client Management Console is a graphical utility used to manage configuration settings.

  • Validation Client Monitor – The Validation Client Monitor provides the user with visual feedback to certificate validation requests as well as the overall state of the Validation Client.

  • Validation Test Tool – The Validation Client provides a tool to validate digital certificates manually. The Validation Test Tool is useful for testing Validation Client configuration and for troubleshooting.

Support for OCSP Requests and Responses

The Validation Client is interoperable with any responder that conforms to the OCSP specification defined by RFC 2560. It is capable of sending OCSP requests that are digitally signed or unsigned and with or without a nonce.

The Validation Client supports the Basic OCSP response type defined by the OCSP specification.

The Validation Client conforms to the recommendations of the Lightweight OCSP Profile, RFC 5019.

Ease of Configuration and Deployment

The Validation Client is designed for ease of configuration. Default settings allow the Validation Client to operate in many end-user deployments without additional administrator action.

By default, the Validation Client plug-in is configured to obtain an OCSP responder URL from the Authority Information Access (AIA) field of the certificate to be validated. In many installations, relying only on this configuration option is sufficient to validate certificates and an administrator can deploy the Validation Client without additional configuration. For installations requiring additional means of determining OCSP responder URLs, the Management Console provides an intuitive, graphical interface to accomplish this task.

Administration tools supplied with the Validation Client allow an administrator to deploy the software on end-user computers easily, rapidly, and in a wide variety of network configurations. The Validation Client allows an administrator to create a preconfigured installer customization using all appropriate options and security information and deploy the installer customization to end user PCs without technical support for each installation. Refer to Advanced Deployment Options for more information about deploying custom installers.

Validation Client configuration parameters are stored in the Windows Registry. Site administrators can update the configuration of deployed Validation Clients using any tools that allow remote registry management. Refer to Registry Keys and Values for more details.