Certificate validation

Axway VA

3min

guThis document provides information for configuring

 HSMs with Axway VA (Validation Authority) by using PKCS #11 libraries. For additional questions about your HSM, see the relevant administrator guide.

Application description

The Validation Authority Server (VA Server) product ensures the integrity and validity of online transactions by delivering real-time validation of digital certificates issued by any Certification Authority (CA). It is a robust server application that enables the most widely used secure Internet applications to validate digital certificates.

VA Server has the following elements:

  • A VA validation server that acts as either a Repeater or Responder operating on a Windows or Linux platform.
  • A web-based VA administration server that provides centralized management of your validation processing components through an admin UI.

Based on its server license, you can set up VA Server to operate as either a Responder or a Repeater. As a Responder, VA Server also offers support for HSMs, a critical component that provides the highest level of security and performance for protected key storage, high-speed signatures, and hardware key generation.

The VA Server maintains a store of digital certificate revocation data by obtaining the issuing CA Certificate Revocation List (CRL), a cumulative list of revoked certificates.

VA Server is CA neutral and supports multiple CAs, several different trust models, and CA-specific validation policies. It also supports multiple validation policies that clients can reference in a Server-based Certificate Validation Protocol (SCVP) request to specify authentication and authorization requirements.

To validate a digital certificate, a client application can query the VA Server rather than performing the cumbersome task of obtaining and processing the entire CRL every time it encounters a digital certificate.

Client applications can query the VA Server by using open standard protocols, including the Online Certificate Status Protocol (OCSP) defined by RFC 6960 (formerly 2560) and the SCVP defined by RFC 5055.

Clients can use SCVP to delegate the entire certificate validation operation, including path construction and intermediate CA validation, to the VA Server.

Guardian integration