Validation Checks for Certificates

In order to validate whether a certificate is acceptable, Plant Connectivity executes the following checks:

• Verifying the signatures of the certificates in the certificate chain and the completeness of the certificate chain. If a self-signed certificate is being used, there is no certificate chain, and only the signature of the certificate itself is checked.

• Checking the revocation status of the certificate.

• Checking the following attributes of the certificate:

  • Validity period of the certificate

  • Subject of the certificate, for example, check, whether it contains the host name for the server certificate as the Common Name.

  • Subject Alternative Name

  • Key usage attribute: Check, whether the key usage attribute matches the intended usage.

• Check trust, that is, check if the CA that signed the request is being trusted.

If one of the validation checks fails, the SSL or TLS connection cannot be established. In various security settings you can configure which of these checks should be ignored by PCo.

The previous sections explain in detail how trust could be established within SAP Plant Connectivity. If a server possesses several alternative host names, the validation of the subject can sometimes lead to unexpected results. In this case it is often not sufficient to specify only the host name in the subject, but it will also be necessary to specify the alternative host names or even the IP addresses in the certificate. This should be reflected when generating certificate signing requests or self-signed certificates. See also: Generating Certificate Signing Requests or Self-Signed Certificates