Validate the certificate using TElX509CertificateValidator
This how-to describes a simple approach of certificate validation which is normally sufficient for all applications. Those developers who need fine-grained validation with flexible tune-up of validation parameters are addressed to the how-to article. Basic information on certificate validation can be found in the mini-FAQ.
The following steps are needed to validate a certificate:
Before any certificate validation is performed, TElX509CertificateValidator object needs to be properly initialized.
At this stage the specific information regarding the certificate(s) to be validated such as, e.g., trusted certificates, known CRLs and OCSP responses, should be loaded into memory.
This is performed by the corresponding Clear* and Add* methods of TElX509CertificateValidator.
On Windows, the system certificate stores are easily initialized with a single call to InitializeWinStorages, and are accessible via the corresponding WinStorage* properties.
To use these stores, UseSystemStorages property should be set to True.
In addition, TElX509CertificateValidator allows to specify various validation options via its boolean properties, such as CheckValidityPeriodForTrusted, ImplicitlyTrustSelfSignedCertificates, etc.
Checking CRLs and OCSP responses
TElX509CertificateValidator internally uses SecureBlackbox CRL retriever and OCSP client classes to request CRLs and send OCSP requests. To use these classes, you have to explicitly reference/include the corresponding namespace/unit in your code depending on the edition, as described in the corresponding topic. These classes utilize TElHTTPSClient component of SecureBlackbox to fetch the necessary information, consequently, you need to have a license for a package that covers TElHTTPSClient. In some cases the CRL or OCSP response is available before validation, e.g., they are included in the signature of *AdES documents. Such CRLs and OCSP responses could be passed to TElX509CertificateValidator using AddKnownCRLs and AddKnownOCSPResponses methods. When you do not need to check the certificate revocation information, and hence there is no need in using HTTP transport, set OfflineMode property to True. To explicitly specify how the revocation information should be checked, use CheckCRL, CheckOCSP, MandatoryCRLCheck, and MandatoryOCSPCheck properties.
TElX509CertificateValidator offers a bunch of methods to validate different certificates depending on your needs.
Most common reasons for certificate invalidity are listed below.