X509 Certificate Validator

Valve for validating X.509 certificates

Introduction

Use this valve to validate a X.509 v3 certificate.

Performs the following validations (in specified order):

Validity (notBefore/notAfter)
PKIX path ("certificate chain")
Signature

This valve is a part of the item iteration API meaning that it operates on the current item set. For more information on item iteration, see Item.

Valve operates on items if available. During item iteration the validation result ("certificate status") will be set on the current item and must be asserted later in pipe. If no items are available pipe will fail if validation fails.

Certificate status values:

GOOD
EXPIRED
NOT_YET_VALID
INVALID_PATH
INVALID_SIGNATURE

Configuration

Valve name: X509CertificateExtractor

Name

Description

Default value

Mandatory

Expanded

{
  "name" : "X509CertificateValidator,
  "config" : {
    "src" : "${request.pem}",
    "truststore" : {
      "path": "config/truststore.jks"
      "password": "secret",
      "type": "JKS"
    }
  }
}

Certificate validity

It is possible to check certificate validity for any point in time by setting the now configuration property. If not set, now will default to now (i.e the current time).

PreviousPasscode Generator NextDelivery