Validate Certificate Assertion
The Validate Certificate assertion is used to validate an X.509 certificate context variable. Specifically, this assertion can validate that a certificate is not expired nor revoked, and that it has a valid chain.
Validate Certificateassertion is used to validate an X.509 certificate context variable. Specifically, this assertion can validate that a certificate is not expired nor revoked, and that it has a valid chain.
A valid certificate does not ensure authentication. In other words, the Gateway does not check to ensure that the user possesses a private key with this assertion. To ensure Client Certificate Authentication, consider adding the Require SSL or TLS Transport Assertion With Client Authentication Assertion to your policy.
Context Variables Created by this Assertion
The Validate Certificate assertion sets the following context variables with details of the validation.
The default Output Variable Prefix value is "certificateValidation" and can be changed in the assertion properties.
Returns either True or False.
Returns error message if validation fails.
Set Assertion Properties
Double-click the assertion in a policy to configure the following properties:
Enter the name of the context variable containing the X.509 certificate.
Choose the level of validation from the
Validation Typedrop-down list
Output Variable Prefix
Specify a prefix that will be added to the context variables created by this assertion. The prefix will prevent the context variable from being overwritten if the assertion appears more than once in a policy.
For an explanation of the validation messages displayed, see Context Variable Validation.
Fail on invalid certificate
Select this check box to cause the assertion to fail and log an error when an invalid certificate is entered.
Clear this check box to log an error but not fail the assertion upon an invalid certificate.