This class provides a simple way to validate X.509 certificate and it's issuer (CA) certificates with one call.
Use TElX509CertificateValidator to validate X.509 certificate according to validation rules described in RFC 3280. This component performs validation of the certificate itself and it's issuer (CA) certificates. Also, if CRL and OCSP validation are enabled, the component uses CRLs and OCSP to perform additional checking of the certificates. Certificates, used to sign CRLs and OCSP responses, are validated automatically according to the same settings and parameters, as the ones used for validation of the main certificate chain.
In Windows TElX509CertificateValidator automatically uses Windows Certificate Stores to access CA and Root certificates, as well as Trusted and Blocked ceritificate lists. On other platoforms or additionally to Windows Certificate Stores you can specify your own trusted, known and blocked certificate lists.
To retrieve Certificate Revocation Lists (CRLs) TElX509CertificateValidator uses pluggable TElCRLRetriever class and it's descendants. HTTP CRL Retriever class is located in SBHTTPCRL unit / namespace. In .NET edition you need to reference SBHTTPCRL namespace from your code, then call SBHTTPCRL.Unit.RegisterHTTPCRLRetrieverFactory() method. In VCL edition this class is activated automatically when you add SBHTTPCRL unit to Uses clause. Note: use of HTTP CRL Retriever requires a license for HTTPBlackbox package (or one of the packages that include HTTPBlackbox); use of LDAP CRL Retriever requires a license for LDAPPBlackbox package (or one of the packages that include LDAPPBlackbox). Alternatively, you can disable CRL checks.
For OCSP requests TElX509CertificateValidator uses pluggable TElOCSPClient class and it's descendants. HTTP OCSP Client class is located in SBHTTPOCSPClient unit / namespace. In .NET edition you need to reference SBHTTPOCSPClient namespace from your code, then call SBHTTPOCSPClient.Unit.RegisterHTTPOCSPClientFactory() method. In VCL edition this class is activated automatically when you add SBHTTPOCSPClient unit to Uses clause. Note: use of HTTP OCSP Client requires a license for HTTPBlackbox package (or one of the packages that include HTTPBlackbox). Alternatively, you can disable OCSP checks.
- Namespace: SBCertValidator
- Assembly: SecureBlackbox
- Unit: SBCertValidator
- Package: SecureBlackbox.Base.jar
To use the component in development and distribution of your projects, you need to purchase one of the licenses:
Any SecureBlackbox package