Skip to content

Validating certificates

When a certificate is added to Venafi as a Service, two types of validation
take place for that certificate automatically:

  • SSL/TLS validation

  • Certificate chain validation

Security, compliance, and technological innovation introduce new criteria for the validation of certificates and the servers that host them. Venafi as a Service helps ensure that your certificates remain valid and are used properly.

Once the certificates are in Venafi as a Service, the validation takes place every 24 hours. This validation helps to ensure that you're installing and using your certificates in a way that secures your machine identities.

You'll see a warning message in Venafi as a Service for any certificates that fail validation. In addition, a Machine Identity Digest is sent out through email notifications to specified recipients so that they can take immediate action.

Viewing certificate validation status

The certificate installation page in Venafi as a Service shows the validation status for each certificate.

  1. Sign in to Venafi as a Service.

  2. In the toolbar, click Inventory > Certificate Installations.

    The certificate installations table has a TLS Validation column and a Chain Validation column that shows the validation status for each certificate. - To search for a specific certificate, enter the certificate details in the search bar at the top.

    • To filter the list table, click Filter next to the search bar. In the TLS Validation and Chain Validation boxes, select the states that you want to include in the filter, the click Apply.

Machine Identity Digest email

Enabling the Machine Identity Digest email will send you a periodic email where you can view if validation has failed on any certificates. This is a quick and easy way to see if anything needs your attention. If so, then you can sign in to Venafi as a Service to further troubleshoot and take corrective action.

Running a validation manually

You can run a quick validation on any installed certificates.

  1. Sign in to Venafi as a Service.

  2. In the toolbar, click Inventory > Certificate Installations.

  3. On the Certificates Installations page, do one of the following: 

    • To search for a specific certificate, enter the certificate details in the search bar at the top.
    • To manually filter the list, click Filter next to the search bar to enter the attributes you want to include in the filter, and then click Apply.
  4. In the Certificate Name column, find and click the name of the certificate you want to validate.

  5. In the Certificate Details view, click the INSTALLATIONS tab.

  6. Click Validate Now.

    A Validation in progress message appears at the top of the page. If the validation is successful, the TLS Validation and Chain Validation columns display Success. Otherwise, a Validation Failed message appears.

    TIP

    You can also verify when the last validation has occured for your installed certificates by looking at the Last Seen column. Shortly after running Validate Now, Last Seen should update to a minute ago from it's previous state.

Certificate chain validation

Each certificate in Venafi as a Service shows that certificate's chain. A certificate chain starts with the end-entity certificate and proceeds through a number of intermediate certificates up to a trusted root certificate. Root certificates are typically issued by a trusted certificate authority (CA), but you can upload additional root certificates if needed, such as for an internal CA. Certificate chain validation makes sure a given certificate chain is well-formed, valid, properly signed, and trustworthy. Any error in the certificate chain could cause an outage.

To help avoid chain-related outages, Venafi as a Service continuously monitors all certificates in the chain.

What is a certificate chain?

If you are unfamiliar with certificate chains, read through How do Certificate Chains Work for background.

Following are the possible certificate chain validation states, their descriptions, and resolution actions.

Validation Status Description Risk level Resolution
Chain expiring soon One or more of the CA certificates in the trust chain expires before the end-entity does, or is expiring soon. High

Identify the expiring or about to expire CA certificate from end entity certificate, download and install the current chain.

If the current chain is not available, renew the certificate, download and install end-entity and chain certificates.

Chain building failed

One or more intermediate or root CA certificates is missing, and a complete chain can't be constructed.

This means VC can build the chain for the certificate independent of the CA certificates returned by the server.

Warning Install the missing intermediate CA certificate(s) on the TLS server target.
Incomplete chain

The chain returned by the endpoint did not include a sufficient number of valid intermediate certificates to build a complete chain anchored by a root CA.

If you miss installing the intermediate certificate or upload the wrong one, then it can not be chained back and the browsers will not trust the certificate and may generate a broken chain or similar sort of warnings.

Warning

Check if your intermediate certificate is invalid due to revocation or expiration.

Download and install your end entity certificate along with proper intermediate certificate(s) that form its trust chain.

Chain not trusted The chain returned by the target cannot be used to form a Trusted chain Warning Add the missing CA certificate to the Trusted CA Certificate inventory
Unknown error Venafi as a Service encountered an error but could not identify it. Warning

When an unknown error occurs, Venafi as a Service automatically captures the details of the condition and submits it to Venafi for future enhancement.

If you have additional questions, contact Venafi Support.

Pending The validation process has not yet occurred. Warning

When this occurs, try running a manual validation (Validate Now) or waiting until the next automated validation occurs.

If you have additional questions, contact Venafi Support.

SSL/TLS validation

The validation feature in Venafi as a Service performs an SSL/TLS validation on each certificate every 24 hours. The SSL/TLS validation checks that the correct certificate is in use on an application, and that the certificate is properly configured.

Validation Status Description Risk level Resolution
Hostname mismatch The TLS target presented a certificate, but the common name or SAN of your SSL/TLS certificate does not match the domain where the certificate is installed High Install the correct version of the certificate associated with the domain. Or reissue a certificate by verifying the CN and SAN.
Old version of certificate found One of the certificate installations is using older versions of certificates that should be replaced with the newer versions. High Install current version of the certificate on the target TLS server installation.
No certificate present TLS target specificed in the VaaS platform didn't present a certificate on a specified port Warning Verify TLS server installation and port number and ensure if the target is valid. If target is valid, investigate why certificate is not present. If the target is no longer valid, remove target from discovery target list or Alternatively, the user just needs to wait until the installation is aged out. Current installation aged out time is 30 days.
Unexpected certificate found Certificate found on the TLS target contains a different fingerprint than the one that Venafi as a Service expected. Warning Install the correct certificate on the endpoint.
Unknown error Venafi as a Service encountered an error but could not identify it. Warning

When an unknown error occurs, Venafi as a Service automatically captures the details of the condition and submits it to Venafi for future enhancement.

If you have additional questions, contact Venafi Support.

Pending The validation process has not yet occurred. Warning

When this occurs, try running a manual validation (Validate Now) or waiting until the next automated validation occurs.

If you have additional questions, contact Venafi Support.