.png){kind=logo}
Post Processing Validators
Post Processing Validators are generally enacted on a complete certificate, either pre or post signing. They are the last step prior to issuance (or post-issuance leading to immediate revocation) to catch a certificate before it gets sent out to the end subscriber.
Validation Phases
There are three possible phases for post processing validators.
Phase | Description |
|---|---|
CT pre-certificate Validation | Validators set to enact on this phase use the certificate after the certificate body has been completed, but before requests are sent out to Certificate Transparency logs. The certificate is signed with the CA’s key pair, but contains the CT poison extension to prohibit accidental use. |
Pre-sign Certificate Validation | Like the phase above, but validation is performed by signing with certificate with a dummy key pair. |
Certificate Validation | This phase is enacted on a signed and issued certificate. |
Validator Types
The following describes the available types post processing validators and links to more information.
pkimetal Validator
ENTERPRISE
The pkimetal Validator is used for linting certificates through the pkimetal meta-linter, as developed and maintained by Sectigo. While the External Command Certificate Validator can be connected to a local linter through scripts, the pkimetal Validator allows the use of all linters supported by pkimetal, and since it is hosted on its own container, it is both more secure (not requiring any scripts to be present on the local machine) and makes liniting more readily available on more deployment options. For more information, see pkimetal Validator.
External Command Certificate Validator
The External Command Certificate Validator allows calling an external script for the generated certificate. For more information, see External Command Certificate Validator.
For more information about the validators, see the following sections.