Validation Issues

Certificate Validation Speed

The certificate validation process includes several checks of the data in the certificate as well as the data in the certificate chain. A certificate chain is composed of a Root CA certificate and, optionally, the certificates of one or more intermediate CAs. The certificate chain for a certificate signed by your Organizational CA is composed of one certificate, which is the Organizational CA's self-signed certificate. Externally-signed user and server certificates might have longer chains.

Validating the information in a certificate and its associated certificate chain is not a time-intensive process. However, there are occasions where the validation might take longer:

1. If the certificate was signed by an external CA and one or more of the certificates has a CRL distribution point extension.

   In order to validate the certificate, the CRL for each applicable certificate in the chain must be retrieved. The CRL must then be examined to determine whether or not the certificate has been revoked.

   If the CRLs are large or if the server operating the CRL distribution point is busy, it might take some time to validate a certificate. The time required can be decreased by doing one or more of the following:

   • Upgrade the speed of the connection being used to check the revocation status of the certificate.
   • Contact your CA provider.

2. If you are validating a user certificate.

   For server certificates, the entire certificate chain is stored along with the server certificate in the Key Material object. Therefore, when a server certificate is validated, the client can get all of the certificates necessary by simply reading one object. User certificates, however, are stored differently. Only the user certificate itself is stored in the User object. Thus, the client must retrieve the certificate chain from other objects stored in the Security container in order to validate the user certificate.

   In order to validate a user certificate signed by the Organizational CA, the client must read the Organizational CA's object in order to retrieve the CA's certificate. In order to validate a user certificate signed by an external CA, the client must read the Trusted Roots container in the Security container in order to compose a certificate chain that matches the user certificate. In the latter case, an Administrator must have already imported the certificates of the external CAs into the Trusted Roots container in order for the validation of the User certificate to succeed.

   The time required to validate a user certificate can be decreased by doing one or more of the following:

   • Partition the Security container and widely replicate Read-Only replicas of it. The data in the Security container is relatively static, so doing so will not lead to synchronization problems within your tree.
   • Place the replicas of the Security container physically closer to those users who need to validate user certificates.
   • Remove expired certificates that are no longer trusted from the Trusted Roots container.

Validating Certificates after Deleting the Organizational CA

If you delete the Organizational CA (other than during a backup and restore procedure), you should delete all user and server certificates that were signed by the Organizational CA. If you don't, you will experience the following behavior when validating these certificates:

• User certificates signed by the deleted CA will be invalid. This is because the certificate of the CA which signed the user certificate could not be found in the Organizational CA object or in the Trusted Roots container. If you want those user certificates to remain valid, you must add the previous CA's self-signed certificate to the Trusted Roots container.
• Server certificates signed by the deleted CA will continue to be valid. This is because the CA's certificate is stored in the Key Material object along with the server certificate.

  If you deleted the Organizational CA because the key had been compromised or because of some security breach, you should immediately delete all user and server certificates that were signed by the CA. You should also tell all users who may have imported your Organizational CA's certificate into their browsers to delete the certificate.