X509 Certificate Validator
Valve for validating X.509 certificates
Last updated
Valve for validating X.509 certificates
Last updated
Use this valve to validate a X.509 v3 certificate.
Performs the following validations (in specified order):
Validity (notBefore/notAfter)
PKIX path ("certificate chain")
Signature
Valve operates on items if available. During item iteration the validation result ("certificate status") will be set on the current item and must be asserted later in pipe. If no items are available pipe will fail if validation fails.
Certificate status values:
GOOD
EXPIRED
NOT_YET_VALID
INVALID_PATH
INVALID_SIGNATURE
src
X509 certificate in PEM format.
dest
Name of item property receiving validation status. Only used in item iteration mode.
"cert_status"
now
Instant in ISO-format for validating certificate expiry. Supports property expansion.
Default: current date/time
truststore
Trust store configuration object. Trust store is used for validating the certificate path.
truststore.path
Path to trust store (Mandatory unless "data" is specified.
truststore.data
Base64 encoded trust store (Mandatory unless "path" is specified)
truststore.password
Trust store password
truststore.type
"PKCS12"
It is possible to check certificate validity for any point in time by setting the now configuration property. If not set, now will default to now (i.e the current time).