Certificate Validation and the Validation Extension

This section describes the operation of the Validation Extension.

Components

The following figure represents a simplified architecture depicting the interaction of a Validation Extension user and an OCSP responder:

As depicted in the figure, the Validation Extension components perform all communication between CAPI and the OCSP responder.

As depicted in the figure, the Validation Extension components perform all communication between CAPI and the OCSP responder.

Concept of Operation

The following summary describes the operation of the components depicted in the figure above:

The server application receives a digital certificate and asks CAPI to validate the current status of that certificate and to check that it is trusted.

CAPI verifies that the certificate is trusted and passes the request for validation to the Validation Extension Plug-in.

The plug-in relays the request to the Validation Extension Service.

The Validation Extension Service constructs an OCSP request and determines the OCSP responder to which it will send the request.

The Validation Extension Service sends the request to the OCSP responder and waits for a response. If no response is received, the Validation Extension Service sends the request to the next OCSP responder that it is configured to query.

After receiving an OCSP response, the Validation Extension Service verifies the response and returns the certificate status to the Validation Extension Plug-in. If the response cannot be used to determine the certificate status, the Validation Extension Service sends the request to the next OCSP responder that it is configured to query.

The Validation Extension Plug-in returns the status of the certificate to CAPI.

CAPI returns the status to the calling application.