Validation Extension Features

This section summarizes the components and key features of the Validation Extension.

Software Components

The software components that comprise the Validation Extension are:

  • Validation Extension Service – The Validation Extension Service is a Microsoft Windows Service that provides all certificate validation functionality, including validation and certificate revocation status checking using OCSP and CRLs.

  • Validation Extension CAPI Plug-in – The Validation Extension CAPI plug-in provides digital certificate validation support for the Microsoft Cryptographic API (CAPI). Windows applications use CAPI to determine the revocation status of certificates such as those received in digitally signed e-mail messages or from a web server. The plug-in communicates directly with the Validation Extension Service to determine the revocation status of these certificates.

  • Validation Extension Management Console – The Validation Extension Management Console is a graphical utility used to manage configuration settings.

  • Validation Test Tool – The Validation Extension provides a tool to validate digital certificates manually. The Validation Test Tool is useful for testing Validation Extension configuration and for troubleshooting.

Support for OCSP Requests and Responses

The Validation Extension is interoperable with any responder that conforms to the OCSP specification defined by RFC 2560. It is capable of sending OCSP requests that are digitally signed or unsigned and with or without a nonce.

A nonce cryptographically binds a request and a response to prevent replay attacks. A nonce is included as a requestExtensions item in OCSP requests and as a responseExtensions item in OCSP responses.

Responder is a service that is authorized to provide credential status information on behalf of one or more certificate authorities.

The Validation Extension supports the Basic OCSP response type defined by the OCSP specification.

The Validation Extension conforms to the recommendations of the Lightweight OCSP Profile, RFC 5019.

Ease of Configuration and Deployment

The Validation Extension is designed for ease of configuration. Default settings allow the Validation Extension to operate in many end-user deployments without additional administrator action.

By default, the Validation Extension plug-in is configured to obtain an OCSP responder URL from the Authority Information Access (AIA) field of the certificate to be validated. In many installations, relying only on this configuration option is sufficient to validate certificates and an administrator can deploy the Validation Extension without additional configuration. For installations requiring additional means of determining OCSP responder URLs, the Management Console provides an intuitive, graphical interface to accomplish this task.

Administration tools supplied with the Validation Extension allow an administrator to deploy the software on servers easily, rapidly, and in a wide variety of network configurations. The Validation Extension allows an administrator to create a preconfigured installer customization using all appropriate options and security information, and deploy the installer customization to servers without technical support for each installation. For more information about deploying custom installers, refer to Advanced Deployment Options.

Validation Extension configuration parameters are stored in the Windows Registry. Site administrators can update the configuration of deployed Validation Extensions using any tools that allow remote registry management. For more details, refer to Registry Keys and Values.