Elements of CV Definitions

• A certificate validation (CV) definition specifies how to validate a digital certificate presented by a client application on behalf of an end user. It can include the following optional elements:

• Attribute query definition—Specifies an LDAP search operation to locate directory entries and optionally return attributes from those entries. The search must succeed for certificate validation to succeed. The query is composed by specifying all query parameters in a Uniform Resource Locator (URL), or by specifying parameters individually on the Query Parameters screen. Attribute query definitions can include variables as described in CV and Authentication Definition Variables.

• Attribute assertion definition—Specifies a Boolean statement that must evaluate as true in order for certificate validation to succeed. Attribute assertions allow the specification of additional conditions and can compare details from the request (such as an IP address or attributes from a certificate) to fixed data or to attributes returned from queries.

• Attribute assertion definitions can include variables as described in CV and Authentication Definition Variables.

  Custom exit—Specifies details for exiting from an Sterling External Authentication Server or authentication definition to perform related tasks using a Java™ class running an operating system command.

• Certificate revocation list (CRL) definition—Specifies how to access the list of certificates that have been suspended or revoked before the scheduled expiration date. After creating a CRL definition, the defined CRLs can be referenced to check them during certificate validation. A CRL defines the CRL issuer's name, date of issue, date that the CRL is next scheduled to be reissued, the serial numbers of revoked or suspended certificates, and the number of times and reasons certificates were revoked or suspended. When Sterling External Authentication Server is validating a certificate, if that certificate is found on a CRL, certificate validation fails. Certificate revocation list definitions can be created independently of the CV definition and referenced in multiple CV definitions.

• Supported extensions—Defines processing instructions for the set of X.509 v3 extensions directly supported for Sterling External Authentication Server.

• Custom extensions—Registers and defines processing instructions for X.509 v3 extensions that are unknown to Sterling External Authentication Server.

When you create a CV definition, you can configure optional elements within it. You can also add optional elements later. For more information on configuring and adding optional elements at a later time, see Creation and Management of Certificate Validation (CV) Definitions to Validate Certificates.