Configuring Server Certificate Validation Settings

You can configure server certificate validation settings to make certificate validation more secure or less secure. These settings are used for validating the server certificate that is passed from a remote event broker to the local event broker during a TLS/SSL handshake.

Certificate validation settings can be specified for Message VPN bridges and replication Config-Sync bridges.

You can make the following certificate validation configurations:

:  For information on setting a client certificate for Message VPN bridges, refer to Configuring Client Certificate Authentication.

Enforcing Trusted Common Names

You can configure a list of trusted common names that a connecting bridge or event broker expects to be returned in a server certificate from a remote bridge. You may choose not to enforce this list of common names, in which case the connecting bridge or event broker will consider any server certificate that it receives.

By default, enforce-trusted-common-name is enabled.

  • Message VPN Bridges

    To enable the checking of common names on Message VPN bridges, enter the following commands:

    solace(configure)# message-vpn <vpn-name>
    solace(configure/message-vpn)# bridging ssl server-certificate-validation
    solace(...ing/ssl/server-certificate-validation)# enforce-trusted-common-name

  • Replication Config-Sync Bridges

    To enable the checking of common names on Replication Config-Sync bridges, enter the following commands:

    solace(configure)# replication
    solace(configure/replication)# config-sync bridge ssl-server-certificate-validation
    solace(...dge/ssl-server-certificate-validation)# enforce-trusted-common-name

    The no version of these commands, no enforce-trusted-common-name, disables the checking of trusted common names.

:   If this option is enabled but a list of common names has not been configured for the bridge, the connection will not be permitted.

Configuring Maximum Certificate Chain Depths

The depth of a certificate chain is the number of signing CA certificates that are present in the chain back to a trusted self-signed root CA certificate. Setting a maximum certificate chain depth means that bridge connections will reject any certificates whose depth is higher than the maximum limit.

  • Message VPN Bridges

    To configure the maximum certificate chain depth for Message VPN bridges, enter the following commands:

    solace(configure)# message-vpn <vpn-name>
    solace(configure/message-vpn)# bridging ssl server-certificate-validation
    solace(...ing/ssl/server-certificate-validation)# max-certificate-chain-depth <max-depth>

    Where:

    <max-depth> is a number from 0 to 8 specifying the maximum number of signing CA certificates that may be present in the certificate chain. The default value is 3.

  • Replication Config-Sync Bridges

    To configure the maximum certificate chain depth for replication Config-Sync bridges, enter the following commands:

    solace(configure)# replication
    solace(configure/replication)# config-sync bridge ssl-server-certificate-validation
    solace(...dge/ssl-server-certificate-validation)# max-certificate-chain-depth <max-depth>

    Where:

    <max-depth> is a number from 0 to 8 specifying the maximum number of signing CA certificates that may be present in the certificate chain. The default value is 3.

The no version of these commands, no max-certificate-chain-depth, resets this parameter to its default value.

Enabling Certificate Date Validation

Certificates may specify "not before" and "not after" dates to provide a time range for which they will be valid. This setting will enable or disable the validation of these dates. If this check is disabled, the bridge will accept a certificate even if the valid date range provided in the certificate is not fulfilled.

By default, validation of certificate dates is enabled.

  • Message VPN Bridges

    To enable validation of certificate dates for Message VPN bridges, enter the following commands:

    solace(configure)# message-vpn <vpn-name>
    solace(configure/message-vpn)# bridging ssl server-certificate-validation
    solace(...ing/ssl/server-certificate-validation)# validate-certificate-date

  • Replication Config-Sync Bridges

    To enable validation of certificate dates for replication Config-Sync bridges, enter the following commands:

    solace(configure)# replication
    solace(configure/replication)# config-sync bridge ssl-server-certificate-validation
    solace(...dge/ssl-server-certificate-validation)# validate-certificate-date

  • The no version of these command, no validate-certificate-date, disables validation of the certificate dates.