/
Validation process
Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Validation process

Owned by Ann Base (Deactivated)
Last updated: Nov 04, 2024 by Ylva AnderssonVersion comment
2 min read

This article describes the validation processes made by the Nexus OCSP Responder.

Validation process for certificates

To validate a certificate, Nexus OCSP Responder will do the following:

  1. Search for the certificate in the trust store. If found, the certificate is OK and the validation is finished.

  2. Check if the certificate is not yet valid or has expired. If any of these conditions is true, the certificate is invalid and the validation is finished.

  3. Use the validation modules to get the certificate revocation status. If status is "unknown" or "revoked", the certificate is invalid and the validation is finished. If status is "good", continue with the next step.

  4. Find all the possible associated issuer certificates. If one of them validates when using the process outlined above, the certificate is OK and will be stored in the certificate cache. The validation is finished. Otherwise, the certificate is invalid and the validation is finished.

Validation process for CRLs

When a Certificate Revocation List (CRL) provider retrieves a CRL, Nexus OCSP Responder will do the following:

  1. Parse the CRL and check for unsupported extensions, in particular Issuing Distribution Point (IDP) and Issuer Alternative Name (IAN).

  2. Retrieve the certificate for the CRL issuer by use of the certificate cache.

  3. Verify the signature of the CRL by use of the public key in the CRL issuer certificate.

  4. Validate that the CRL is issued before current system time and check that the time for next update is not yet passed.

  5. Update the CRL cache with the verified CRL.

Validation Process for CILs

For more information regarding Certificate Issuance Lists (CILs), see Certificate Issuance List - CIL.

When a CIL provider retrieves a CIL, Nexus OCSP Responder will do the following:

  1. Parse the CIL and check for unsupported extensions.

  2. Retrieve the certificate for the CIL issuer by use of the certificate cache.

  3. Verify the signature of the CIL by use of the public key in the CIL issuer certificate.

  4. Validate that the CIL is issued before current system time and check that the time for next update is not yet passed.

  5. Update the CIL cache with the verified CIL.

Related content

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions