Overview: Validating Certificates
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure Akamai Connection
- Configure AWS Connection
- Configure Azure Key Vault Connection
-
- Workload Identity Federation Authentication
- Workload Identity Federation - Azure Identity Provider Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Workload Identity Federation Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Supported OIDC Claims
-
-
-
- Working with the Built-in CA
- Add AWS Public CA
- Add AWS Private CA
- Add DigiCert One Certificate Authority
- Add Entrust
- Add GlobalSign Atlas
- Add GlobalSign MSSL
- Add GoDaddy
- Add Google Cloud Private CA
- Add a HID PKIaaS CA
- Add Certificate Manager - Self-Hosted
- Set Up an OpenSSL Certificate Authority Connector
- Create a Sectigo Certificate Manager Certificate Authority
- Add Zero Touch PKI
- Set Up Certificate Expiration Notifications
- Using a Custom DNS Provider
-
-
-
-
- Create an F5 BIG-IP LTM Machine
- Create a Microsoft Azure Private Key Vault Machine
- Create a Microsoft Azure Application Registration Machine
- Create a Microsoft IIS Machine
- Create a Microsoft Windows (PowerShell) Machine
- Create a Microsoft SQL Server Machine
- Create a Common KeyStore Machine
- Create a Citrix ADC Machine
- Create an Imperva WAF Machine
- Create a VMware NSX Advanced Load Balancer (AVI) Machine
- Create an A10 Thunder ADC Machine
- Create a Cloudflare Machine
- Create Kemp Virtual LoadMaster Machine
- Create a Palo Alto Panorama Machine
- Create a Radware Alteon Machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
- Provision Certificates to Radware Alteon
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing Certificate Lifecycle Settings
- Reissuing Certificates in Next-Gen Trust Security
- Downloading Certificates, Certificate Chains, and Keystores
- Retiring, Recovering, and Deleting Certificates
- Finding Certificates in the Certificate Inventory
- Importing Certificates from a CA Using EJBCA
- Domain-Based Validation for External Emails
-
- Create a Workload Identity Management or Discovery Agent Built-in Account
- Create an OCI Registry Built-in Account
- Create a Certificate Manager - Self-Hosted Built-in Account
- Create a Scanafi Built-in Account
- Toggling a Built-in Account on or Off
- Editing Built-in Accounts
- Deleting Existing Built-in Accounts
- Renew Existing Built-in Accounts
- Troubleshooting
Overview: Validating Certificates
Certificate validation helps ensure that certificates are being used correctly to secure machine identities. After certificates are added to the certificate inventory, Next-Gen Trust Security validates them automatically every 24 hours.
Certificate validation is important because security, compliance, and technology requirements evolve over time. Next-Gen Trust Security continuously evaluates certificates and the servers that host them to help ensure certificates remain valid and are used appropriately.
Next-Gen Trust Security surfaces validation results directly in the dashboard and flags certificates that fail validation so administrators can take action.
In addition to automatic validation, you can manually run validation on certificates using Validate Now. Manual validation can also discover additional TLS server endpoints associated with certificates already in your inventory.
Types of Certificate Validations
Next-Gen Trust Security supports two types of certificate validation:
- SSL/TLS validation
- Certificate chain validation
About SSL/TLS Validation
Next-Gen Trust Security performs SSL/TLS validation on each certificate every 24 hours. You can also run validation manually at any time using Validate Now.
SSL/TLS validation confirms that:
- The correct certificate is deployed on the TLS endpoint.
- The certificate is properly configured for the target domain and port.
| Validation status | Description | Risk level | Resolution |
|---|---|---|---|
| Hostname mismatch | The TLS target presented a certificate, but the common name or SAN does not match the domain where the certificate is installed. | High | Install the correct certificate for the domain, or reissue the certificate with the correct CN and SAN values. |
| Old version of certificate found | One or more TLS server endpoints is using an older version of a certificate that should be replaced. | High | Deploy the current version of the certificate on the TLS server. |
| No certificate present | The TLS target did not present a certificate on the specified port. | Warning | Verify the TLS server installation and port number. If the target is no longer valid, remove it from the discovery target list. |
| Unexpected certificate found | The certificate found on the TLS target has a different fingerprint than expected. | Warning | Install the correct certificate on the endpoint. |
| Unknown error | Next-Gen Trust Security encountered an error but could not identify it. | Warning | Retry validation. If the issue persists, contact CyberArk support. |
| Pending | Validation has not yet occurred. | Warning | Run a manual validation or wait for the next scheduled validation cycle. |
About Certificate Chain Validation
Each certificate in Next-Gen Trust Security includes its certificate chain, which starts with the end-entity certificate and continues through intermediate certificates up to a trusted root certificate.
Certificate chain validation ensures that the chain is complete, valid, properly signed, and anchored to a trusted root CA. Errors in the certificate chain can result in trust failures or outages.
To help prevent chain-related issues, Next-Gen Trust Security continuously monitors certificates and their chains.
The following table describes possible certificate chain validation states and recommended actions.
| Validation status | Description | Risk level | Resolution |
|---|---|---|---|
| Chain expiring soon | One or more CA certificates in the chain expires before the end-entity certificate or is nearing expiration. | High | Identify the expiring CA certificate, then download and install the updated chain. If unavailable, renew the certificate and install the full chain. |
| Chain building failed | One or more intermediate or root CA certificates is missing, preventing construction of a complete chain. | Warning | Install the missing intermediate or root CA certificate on the TLS server. |
| Incomplete chain | The endpoint did not return enough valid intermediate certificates to build a trusted chain. | Warning | Verify intermediate certificates are valid and installed correctly, then redeploy the full certificate chain. |
| Chain not trusted | The certificate chain cannot be anchored to a trusted root CA. | Warning | Add the required CA certificate to the trusted CA inventory. |
| Unknown error | Next-Gen Trust Security encountered an error but could not identify it. | Warning | Retry validation. If the issue persists, contact CyberArk support. |
| Pending | Validation has not yet occurred. | Warning | Run a manual validation or wait for the next scheduled validation cycle. |
What's Next?
Learn more about related tasks:
- Using Validate Now to discover additional TLS server endpoints
- Finding certificates in your inventory
- Downloading certificates