Validation process

To validate a certificate, Nexus OCSP Responder will do the following:

1. Searche the certificate in the trust store. If found, the certificate is OK and the validation is finished.
2. Check if the certificate is not yet valid or has expired. If any of these conditions is true, the certificate is invalid and the validation is finished.
3. Use the validation modules to get the certificate revocation status. If status is "unknown" or "revoked", the certificate is invalid and the validation is finished. If status is "good", continue with the next step.
4. Find all the possible associated issuer certificates. If one of them validates when using the process outlined above, the certificate is OK and will be stored in the certificate cache. The validation is finished. Otherwise, the certificate is invalid and the validation is finished.

When a Certificate Revocation List (CRL) provider retrieves a CRL, Nexus OCSP Responder will do the following:

1. Parse the CRL and check for unsupported extensions, in particular Issuing Distribution Point (IDP) and Issuer Alternative Name (IAN).
2. Retrieve the certificate for the CRL issuer by use of the certificate cache.
3. Verify the signature of the CRL by use of the public key in the CRL issuer certificate.
4. Validate that the CRL is issued before current system time and check that the time for next update is not yet passed.
5. Update the CRL cache with the verified CRL.

For more information regarding Certificate Issuance Lists (CILs), see Certificate Issuance List - CIL.

When a CIL provider retrieves a CIL, Nexus OCSP Responder will do the following:

1. Parse the CIL and check for unsupported extensions.
2. Retrieve the certificate for the CIL issuer by use of the certificate cache.
3. Verify the signature of the CIL by use of the public key in the CIL issuer certificate.
4. Validate that the CIL is issued before current system time and check that the time for next update is not yet passed.
5. Update the CIL cache with the verified CIL.