Validation reference
Certificates are validated using several parameters.
The validations described in the following table are applied for all certificates, but are most helpful for custom certificates. For default certificates, the certificate validations will always pass, as the required elements are generated by APICUP. However, with custom certificates, some of the required elements may be missing or incorrect.
| Validation | Messages | Error | See also/Action |
|---|---|---|---|
| Verify the certificate is set properly. | certificate <cert> not set |
The certificate is not set. | |
unable to load cert <cert> |
The certificate is set but cannot be read. | ||
| Verify certificate key usage (Extended Key Usage). | unable to verify cert <cert>: missing key usage <n> |
The certificate is missing the required key usage. | See Certificates
Reference to see more information, including the type, for all certificates. See Setting custom certificates for tips on how to generate the EKUs for custom certificates. |
| Verify the certificate signing CA. If available, the CA file is loaded. Then the certificate is verified against the provided CA file, including enforcement of Extended Key Usage. | unable to parse CA to verify cert <cert> |
The CA file could not be parsed and loaded. | |
unable to verify cert <cert> |
The certificate failed verification against the provided CA file. | One possible reason for receiving this error is that the correct EKU is missing. For a custom certificate, see Setting custom certificates for information on generating EKUs. | |
| Verify certificate hosts. The certificate must be valid for the hosts listed for the certificate in the Requirements column in the Certificates Reference. | unable to verify cert <cert>: missing <host> |
The certificate is not valid for the required host. | See Certificate reference for the required hosts. |
| Verify that a certificate that is being used as a CA is actually a CA. | unable to verify cert <cert>: certificate is not a CA |
The certificate is not a valid CA. | |
| Verify client certificate match. The portal-client, analytics-client-client, and analytics-ingestion-client certificates are verified against the CA of, respectively, portal-admin-ingress, analytics-client-ingress, and analytics-ingestion-ingress. | a CA certificate must be provided for this certificate |
The CA certificate is missing for one of the portal-admin-ingress, analytics-client-ingress,and analytics-ingestion-ingress. | The common certificates portal-client, analytics-client-client, and analytics-ingestion-client must be set prior to setting any custom certificates. |
client cert cannot be verified against provided CA certificate |
The verification failed. |