Validate Certificate Assertion

The Validate Certificate assertion is used to validate an X.509 certificate context variable. Specifically, this assertion can validate that a certificate is not expired nor revoked, and that it has a valid chain.
gateway90
The
Validate Certificate
assertion is used to validate an X.509 certificate context variable. Specifically, this assertion can validate that a certificate is not expired nor revoked, and that it has a valid chain.
A valid certificate does not ensure authentication. In other words, the Gateway does not check to ensure that the user possesses a private key with this assertion. To ensure Client Certificate Authentication, consider adding the Require SSL or TLS Transport Assertion With Client Authentication Assertion to your policy.
Context Variables Created by this Assertion
The Validate Certificate assertion sets the following context variables with details of the validation.
The default Output Variable Prefix value is "certificateValidation" and can be changed in the assertion properties.
Variable
Description
${certificateValidation
.
passed}
Returns either True or False.
${certificateValidation.error} 
Returns error message if validation fails.
Set Assertion Properties
Double-click the assertion in a policy to configure the following properties:
Setting
Description
Source Variable
Enter the name of the context variable containing the X.509 certificate.
Validation Type
Choose the level of validation from the
Validation Type
drop-down list
  • Validate:
    Select this option to validate the expiration and format of the given certificate only.
  • Validate Certificate Path:
    Select this option to validate the certificate and build a path to a trust anchor.
  • Revocation Checking:
    Select this option to validate the certificate, build a path to a trust anchor, and perform a revocation check.
Output Variable Prefix
Specify a prefix that will be added to the context variables created by this assertion. The prefix will prevent the context variable from being overwritten if the assertion appears more than once in a policy.
Default:
certificateValidation
For an explanation of the validation messages displayed, see Context Variable Validation.
Fail on invalid certificate
Select this check box to cause the assertion to fail and log an error when an invalid certificate is entered.
Clear this check box to log an error but not fail the assertion upon an invalid certificate.