cert-validation-mode

This command sets the certificate validation method.

Syntax

cert-validation-mode legacy

cert-validation-mode pkix

cert-validation-mode exact-match

Parameters

legacy
The validation credentials contain the exact peer certificate to match or the certificate of the immediate issuer, which might be an intermediate CA or a root CA. This mode is maintained for backwards compatibility. You can use exact-match or pkix in most cases instead of using legacy. This setting is the default value.
pkix
The complete certificate chain is checked from subject to root with this validation credentials for certificate validation. Validation succeeds only if the chain ends with a root certificate in the validation credentials. Nonroot certificates in the validation credentials are used as untrusted intermediate certificates. More untrusted intermediate certificates are dynamically obtained from the context at hand (SSL handshake messages, PKCS#7 tokens, PKIPath tokens, and so forth).
exact-match
The validation credentials contain the exact peer certificate to match. This mode is useful when you want to match the peer certificate exactly, but that certificate is not necessarily a self-signed (root) certificate.

Guidelines

The cert-validation-mode command sets the certificate validation method.

The pkix method, as described in RFC 3280, expects the remote peer to provide all intermediate certificates to the DataPower® Gateway during SSL negotiation. The associated validation credentials consist of self-signed certificates and certificates of trust anchors. Certificates can be a root CA or an intermediate CA.

Examples

  • Create the ValCred-1 validation credentials with PKIX validation.
    # valcred ValCred-1
    Crypto Validation Credentials configuration
    # cert-validation-mode pkix
  • Restores the default setting for the ValCred-1 validation credentials.
    # valcred ValCred-1
    Crypto Validation Credentials configuration
    # cert-validation-mode legacy