--- title: Certificate Validation node description: The Certificate Validation node validates the X.509 digital certificate or chain of certificates collected by the Certificate Collector node. component: auth-node-ref version: latest page_id: auth-node-ref::certificate-validation canonical_url: https://docs.pingidentity.com/auth-node-ref/latest/certificate-validation.html keywords: ["Nodes & Trees", "Journeys", "Authentication", "Certificates", "LDAP", "TLS/SSL"] page_aliases: ["self-managed/certificate-validation.adoc"] superseded_by: https://docs.pingidentity.com/auth-node-ref/latest/certificate-validation.html section_ids: example: Example availability: Availability inputs: Inputs dependencies: Dependencies configuration: Configuration outputs: Outputs callbacks: Callbacks outcomes: Outcomes errors: Errors --- # Certificate Validation node The Certificate Validation node validates the X.509 digital certificate or chain of certificates collected by the [Certificate Collector node](certificate-collector.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | **Certificate validation rules**- If you add this node to a journey, you *must* configure it. With no configuration, the node returns `True` as the outcome by default, regardless of the validity of the certificate provided in the journey. - This node validates the *first* certificate in a certificate chain (the user certificate) by default and ignores the remaining certificates in the chain. To validate *all* certificates in a certificate chain: 1. Create an [ESV variable](https://docs.pingidentity.com/pingoneaic/tenants/esvs.html#variables) named `esv-am-nodes-certificatechain-validation-enforced` and set its value to `true`. 2. Make sure all intermediate and root certificates from the chain are present in the truststore. If any intermediate or root certificates are missing from the truststore, certificate validation fails. - If the collected user certificate is a self-signed certificate (test environments only), the self-signed user certificate must be present in the truststore for certificate validation to succeed. - If the collected user certificate is signed by a valid issuer, the issuing certificates (intermediate, or intermediate and root) must be present in the truststore for certificate validation to succeed. If the issuing certificates are missing from the truststore, certificate validation fails. - The node uses the intermediate and user certificates to verify certificate revocation status. | ## Example This example shows an authentication journey using a certificate as credentials. ![journey certificate auth](_images/journey-certificate-auth.png) 1. The Certificate Collector node attempts to collect the certificate from the request body or the header. * If the node can collect the certificate, the journey proceeds to the [Certificate Validation node](certificate-validation.html). * If the node can't collect the certificate, the journey proceeds to a [Page node](page.html) containing a [Platform Username node](platform-username.html) and a [Platform Password node](platform-password.html) to let the user authenticate with username/password credentials. 2. The Certificate Validation node attempts to validate the certificate based on the configuration of that node. * If the certificate can be validated, the journey proceeds to the [Certificate User Extractor node](certificate-user-extractor.html). * If the certificate is invalid, the journey proceeds to the Failure node. * In all other cases, the journey proceeds to a [Page node](page.html) containing a [Platform Username node](platform-username.html) and a [Platform Password node](platform-password.html) to let the user authenticate with username/password credentials. 3. The Certificate User Extractor node extracts the user ID from the certificate and attempts to find a match in the identity store. * If the username can be extracted and a matching user is found in the identity store, the journey increments the login count and authenticates the user. * If the username can't be extracted or no matching user is found in the identity store, the journey proceeds to the Failure node. ## Availability | Product | Available? | | ------------------------------------- | ---------- | | PingOne Advanced Identity Cloud | Yes | | PingAM (self-managed) | Yes | | Ping Identity Platform (self-managed) | Yes | ## Inputs This node requires an `X509Certificate` property in the incoming node state. Implement the [Certificate Collector node](certificate-collector.html) as input to the Certificate Validation node. ## Dependencies This node has no dependencies. ## Configuration | Property | Usage | | ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Match Certificate in LDAP | When enabled, Advanced Identity Cloud matches the collected certificates with a certificate stored in the identity store.Set the Subject DN Attribute Used to Search LDAP for Certificates to specify which LDAP property to search for certificate information.Default: Not enabled | | Check Certificate Expiration | When enabled, Advanced Identity Cloud checks if the collected certificates have expired.Default: Not enabled | | Subject DN Attribute Used to Search LDAP for Certificates | The attribute Advanced Identity Cloud uses to search the identity store for the certificates. The search filter is based on this attribute and the value of the Subject DN as it appears in the certificate.Default: `CN` | | Match Certificate to CRL | When enabled, Advanced Identity Cloud checks if the collected certificates have been revoked according to a Certificate Revocation List (CRL) in the identity store.Define related CRL properties later in the node configuration.Default: Not enabled. | | Issuer DN Attribute(s) Used to Search LDAP for CRLs | The name of the attribute or attributes in the issuer certificate that Advanced Identity Cloud uses to locate the CRL in the identity store.- If you specify only one attribute here, the LDAP search filter used is `(attr-name=attr-value-in-subject-DN)`. For example, if the subject DN of the issuer certificate is `C=US, CN=Some CA, serialNumber=123456`, and the attribute specified is `CN`, Advanced Identity Cloud uses a search filter of `(CN=Some CA)` to locate the CRL. - Specify several CRLs for the same CA issuer in a comma-separated list (`,`) where the names are in the same order in which they appear in the subject DN. In this case, the LDAP search filter used is `(attr1=attr1-value-in-subject-DN,attr2=attr2-value-in-subject-DN,…​)`, and so on. For example, if the subject DN of the issuer certificate is `C=US, CN=Some CA, serialNumber=123456`, and the attributes specified are `CN,serialNumber`, the LDAP search filter used to find the CRL is `(CN=Some CA,serialNumber=123456)`.Default: `CN` | | HTTP Parameters for CRL Update | Parameters Advanced Identity Cloud includes in any HTTP CRL call to the CA that issued the certificate.If the client or CA certificate includes the `IssuingDistributionPoint` extension, Advanced Identity Cloud uses this information to retrieve the CRL from the distribution point.Add the parameters as key-value pairs in a comma-separated list (`,`). For example, `param1=value1,param2=value2`. | | Cache CRLs in Memory | When enabled, Advanced Identity Cloud caches CRLs in memory.If this option is enabled, Update CA CRLs from CRLDistributionPoint must also be enabled.Default: Enabled | | Update CA CRLs from CRLDistributionPoint | When enabled, Advanced Identity Cloud fetches new CA CRLs from the CRL Distribution Point and updates them in the identity store. If the CA certificate includes either the `IssuingDistributionPoint` or the `CRLDistributionPoint` extensions, Advanced Identity Cloud attempts to update the CRLs when they're out of date.Default: Enabled | | OCSP Validation | When enabled, Advanced Identity Cloud checks the validity of certificates using the Online Certificate Status Protocol (OCSP).Default: Not enabled | | Certificate Identity Store | Select the default identity store (`OpenDJ`) from the list. You *must* select this identity store to let Advanced Identity Cloud search for certificates. Advanced Identity Cloud ignores all LDAP server settings below this field. | | LDAP Server Where Certificates are Stored | This property doesn't apply to Advanced Identity Cloud. | | LDAP Search Start or Base DN | This property doesn't apply to Advanced Identity Cloud. | | LDAP Server Authentication User and LDAP Server Authentication Password | This property doesn't apply to Advanced Identity Cloud. | | mTLS Enabled | This property doesn't apply to Advanced Identity Cloud. | | mTLS Secret Label Identifier | This property doesn't apply to Advanced Identity Cloud. | | Use SSL/TLS for LDAP Access | This property doesn't apply to Advanced Identity Cloud. | ## Outputs This node doesn't change the shared state. ## Callbacks This node doesn't send any callbacks. ## Outcomes * `True` The node could validate the certificates. When the outcome is `True`, add a [Certificate User Extractor node](certificate-user-extractor.html) to extract the values of the user certificate. * `False` The node couldn't validate the certificates. The journey follows this path when the node can't validate the certificates and there isn't a more specific outcome available. * `Not found` The Match Certificate in LDAP property is enabled, but the certificates weren't found in the LDAP store. * `Expired` The Check Certificate Expiration property is enabled, and the certificates have expired. * `Path Validation Failed` The Match Certificate to CRL property is enabled, and the certificate path is invalid. * `Revoked` The OCSP Validation property is enabled, and the certificates have been revoked. ## Errors This node doesn't log any error or warning messages of its own.