A-SIT Secure Information Technology Center – Austria

Certificate Details and Status

Double clicking on a search result (see searching for certificates) or opening a certificate using File → Open certificate… opens a new tab containing the details of the selected certificate. The certificate's validity is verified based on the validation date specified in the application's main screen. Furthermore, CRL distribution points and OCSP responders are queried for revocation information. Please note that it does not make sense to try and validate a certificate for some future point in time since OCSP and/or CRL information may not be available.

Whether a certificate is considered valid, depends on (manually configurable) trust anchors (see Configuration). As trust anchors are always configured manually, even revoked issuer certificates can be used for validating certificates.
In addition to verification based on trust anchors, the EU trusted lists of certification service providers are used to determine a certificate's validity. Therefore, the results based on manually configured trust anchors can differ from the results based on the trusted lists of certification service providers.

As can be seen above, the certificate's details are shown and can be explored by selecting individual rows from the corresponding table.
Below this certificate information, the validity status is shown based on the configured validation date.

CRL Info

Detailed information about the CRL distribution point used for the current certificate are also presented:

• Status: Indicates whether the certificate has been revoked.
• Revocation Time: In case the certificate has been revoked, the revocation time is shown here.
• nextUpdate: Indicates the latest possible date, at which the certificate authority will issue a new CRL. After this date the current CRL will become invalid.

The current CRL can also be saved to a file by clicking the Save revocation list button. The CRL distribution point information is extracted from the certificate (if present). Otherwise, manually configured CRL distribution points are used (see Configuration). Alternatively, the URL to a CRL distribution point can be entered manually.

OCSP Info

In addition to CRL information, the OCSP status of the current certificate is also queried, providing in the following information:

• Status: Indicates whether the certificates has been revoked.
• Revocation Time: Shows the revocation date and time in case the certificate was revoked.
• nextUpdate: Indicates the latest possible date, at which the certificate authority issues newer status information.
• thisUpdate: Indicates the time at which the currently displayed information is valid.
• archiveCutOff: The archiveCutOff value indicates the earliest date for which OCSP information is available.

The OCSP responder URL is extracted from the certificate if present. Otherwise, manually configured OCSP responders are used (see Configuration). Alternatively, the URL to an OCSP responder can be entered manually.

TSL-Based Validation Results

In addition to validating certificates based on manually configured trust anchors, TSL-based validation is also supported. Such a validation process is performed automatically and works as follows:

1. The EU's toplevel TSL validity status is evaluated based on predefined EU trust anchors.
2. The validity status of the country matching the certificate issuer is evaluated based on the EU toplevel TSL.
3. The validity period of certificate itself is validated (excluding CRL and OCSP info).
4. The issuer information is extracted from the to-be-validated certificate.
5. The issuer certificate is validated (including CRL and OCSP info).
6. The issuer status is evaluated against the EU trusted lists of certification service providers and their services.
7. The identified service is considered valid if at least one of its certificates is still valid.
8. The corresponding service provider itself is considered valid, if at least one of its services is still valid.

This results in a chain of trust which is visualised accordingly. Green indicates a valid (and thus trusted) node, red indicated an invalid (or not trustworthy) node. Any node corresponding to a certificate can be double-clicked on to display the underlying certificate's details. These details are displayed in a separate dialogue window, presented in the same manner as the current certificate under evaluation. This dialogue also allows for saving a certificate to a file.

Automatic Certificate Validation

It is possible to automatically validate certificates returned form an LDAP query. The number of automatically validated certificates can configured from the menu bar using Configuration → Preferences. The status of certificates validated this way is incorporated into the search results and displayed accordingly.

Hint: Validating certificates takes some time, especially if the TSL information is being updated in the background. In such cases, timeouts can occur (see TSL for more information).

Notes on Selected Certificate Details

Some selected certificate properties are discussed below:

• Issuer: corresponds to the the name of the certificate issuer (IssuerDN)
• E-Government OID: If present in the certificate, this field displays the Austrian E-Government Object Identifier. In case no E-Government OID exists, the message "The certificate does not contain any eGovernment OID" is shown instead. These Object Identifiers are only defined for the public administration sector [OID].
• Certificate Type: This field contains the value simple certificate or qualified certificate. The latter indicates that the certificate features at least one of the configured OIDs representing a qualified certificate (see Configuration). If applicable, additional information such as E-Card Verwaltungssignatur-Zertifikat, for example, is shown. (This is also configurable.)
• Key Usage:Displays the certificate's key usage according to RFC3280.
• Limit on the Value of Transaction: According to [SigG] a qualified certificate can be used to authorise transactions up to a specified limit. If a transaction exceeding this limit is issued using the certificate at hand, the certificate service provider is not liable for any potential losses.

Handling of Certificate Extensions

Some of a certificate's most relevant properties are defined through extensions. Not all extensions may be known to an application processing a certificate. According to RFC3280 special attention needs to be paid to so-called critical extensions. In particular, certificates featuring unknown critical extensions need to be rejected. The Certificate Status Tool informs the user whenever an unknown extension is encountered and stops processing the certificate featuring this extension.