Skip to content

Validating Certificates (Premium Feature)

When a certificate is added to Venafi Cloud, two types of validation automatically take place for that certificate:

  • Certificate chain validation

  • SSL/TLS validation

Security, compliance, and technological innovation introduce new criteria for the validation of certificates and the servers that host them. Venafi Cloud validation helps you make sure your certificates remain valid and used properly.

Once the certificates are in Venafi Cloud, the validation takes place every 24 hours on an ongoing basis. This validation helps make sure that you are installing and using your certificates in a way that secures your machine identities.

Any certificates that fail validation will present a warning in Venafi Cloud, and they will also show up in the Machine Identity Digest email notification.

Viewing certificate validation status

The certificate installation page in Venafi Cloud shows the validation status for each certificate.

  1. Sign in to Venafi Cloud.

  2. In the toolbar, click Inventory > Certificate Installations. The certificate installations tables has a TLS Validation column and a Chain Validation column that shows the validation status for each certificate.

    • To search for a specific certificate, enter the certificate details in the search bar at the top.

    • To filter the list table, click Filter next to the search bar. In the TLS Validation and Chain Validation boxes, select the states that you want to include in the filter, the click Apply.

Machine Identity Digest email

Enabling the Machine Identity Digest email will send you a periodic email where you can view if validation has failed on any certificates. This is a quick and easy way to see if anything needs your attention. If so, then you can sign in to Venafi Cloud to further troubleshoot and take corrective action.

Certificate chain validation

Each certificate in Venafi Cloud shows that certificate's chain. A certificate chain starts with the end-entity certificate and proceeds through a number of intermediate certificates up to a trusted root certificate. Root certificates are typically issued by a trusted certificate authority (CA), but you can upload additional root certificates if needed, such as for an internal CA. Certificate chain validation makes sure a given certificate chain is well-formed, valid, properly signed, and trustworthy. Any error in the certificate chain could cause an outage.

To help avoid chain-related outages, Venafi Cloud continuously monitors all certificates in the chain.

What is a certificate chain?

If you are unfamiliar with certificate chains, read through How do Certificate Chains Work for background.

Following are the possible certificate chain validation states, their descriptions, and resolution actions.

Validation Status Description Risk level Resolution
Chain expiring soon One or more of the CA certificates in the trust chain expires before the end-entity does, or is expiring soon. High

Identify the expiring or about to expire CA certificate from end entity certificate, download and install the current chain.

If the current chain is not available, renew the certificate, download and install end-entity and chain certificates.

Chain building failed

One or more intermediate or root CA certificates is missing, and a complete chain can't be constructed.

This means VC can build the chain for the certificate independent of the CA certificates returned by the server.

Warning Install the missing intermediate CA certificate(s) on the TLS server target.
Incomplete chain

The chain returned by the endpoint did not include a sufficient number of valid intermediate certificates to build a complete chain anchored by a root CA.

If you miss installing the intermediate certificate or upload the wrong one, then it can not be chained back and the browsers will not trust the certificate and may generate a broken chain or similar sort of warnings.

Warning

Check if your intermediate certificate is invalid due to revocation or expiration.

Download and install your end entity certificate along with proper intermediate certificate(s) that form its trust chain.

Chain not trusted The chain returned by the target cannot be used to form a Trusted chain Warning Add the missing CA certificate to the Trusted CA Certificate inventory
Unknown error Venafi Cloud encountered an error but could not identify it Warning

When an unknown error occurs, Venafi Cloud automatically captures the details of the condition and submits it to Venafi for future enhancement.

If you have additional questions, contact Venafi Support.

SSL/TLS validation

The validation feature in Venafi Cloud performs an SSL/TLS validation on each certificate every 24 hours. The SSL/TLS validation checks that the correct certificate is in use on an application, and that the certificate is properly configured.

Validation Status Description Risk level Resolution
Certificate mismatch The TLS target presented a certificate, but the common name or SAN of your SSL/TLS certificate does not match the domain where the certificate is installed High Install the correct version of the certificate associated with the domain. Or reissue a certificate by verifying the CN and SAN.
Old version of certificate found One of the certificate installations is using older versions of certificates that should be replaced with the newer versions. High Install current version of the certificate on the target TLS server installation.
No certificate present TLS target specificed in the VaaS platform didn't present a certificate on a specified port Warning Verify TLS server installation and port number and ensure if the target is valid. If target is valid, investigate why certificate is not present. If the target is no longer valid, remove target from discovery target list or Alternatively, the user just needs to wait until the installation is aged out. Current installation aged out time is 30 days.
Unexpected certificate found Certificate found on the TLS target contains a different fingerprint than the one that Venafi Cloud expected. Warning Install the correct certificate on the endpoint.
Unknown error Venafi Cloud encountered an error but could not identify it Warning

When an unknown error occurs, Venafi Cloud automatically captures the details of the condition and submits it to Venafi for future enhancement.

If you have additional questions, contact Venafi Support.