Method name: ValidateCertificate

Service description including WSDL schema, and an example request and response for SOAP 1.1 and SOAP 1.2 are located at https://localhost/secusign/default.asmx?op=ValidateCertificate.

Localhost is the name used for the local computer; write the SDK server name/IP address instead (according to the settings in IIS).

Request in SOAP 1.1 interface

POST /secusign/default.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: length
SOAPAction: "http://software602.com/secusign/ValidateCertificate"

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <ValidateCertificate xmlns="http://software602.com/secusign/">
      <FileName>string</FileName>
      <FileData>base64Binary</FileData>
      <FileType>CERTIFICATE</FileType>
      <Properties>
        <ValidationTime>dateTime</ValidationTime>
        <Psd2Scope>string</Psd2Scope>
        <Psd2Country>string</Psd2Country>
      </Properties>
      <Params>string</Params>
    </ValidateCertificate>
  </soap:Body>

Input parameters of the method

<FileName>

[mandatory element]

Input Description

String

Name of input file (including extension) to be validated. Example: Certificate.cer

Max. 260 characters.

<FileData>

[mandatory element]

Input Description

Base64Binary

Data of input file with certificate, encoded in Base64.

<FileType>

[mandatory element]

Input Description

CERTIFICATE

Input file data type. CERTIFICATE = X.509 certificate.

<Properties>

[optional element]

<ValidationTime>

[optional element]

Input Description

dateTime

Defines the relevant time as of which the certificate validity is determined.

Example value: 2018-11-09T07:35:00+02:00 (including time zone).

If ValidationTime is not set, the relevant time is set to current time.

Default value: Now (current time from the SecuSign server).

<Psd2Scope>

[optional element]

Vstup Description

string

The role of the payment service provider for which the license must be valid. This parameter limits the returned roles for a given registry entry. Possible values:

  • PSP_AS - account servicing.

  • PSP_PI - payment initiation.

  • PSP_AI - account information.

  • PSP_IC - issuance of card means of payment.

If parameter is not specified, all valid records are returned regardless of role.

The parameter is case-insensitive.

Default value: all.

<Psd2Country>

[optional element]

Vstup Description

string

Country in which the license must be valid. This parameter limits the returned roles for a given record. Possible values:

cz - Czech Republic

sk - Slovak republic

If parameter is not specified, the default value 'cz' for the Czech Republic is used.

The parameter is case-insensitive.

Default value: cz

</Properties>

<Params>

[optional element]

Input Description

String

Not used for certificate validation.

Response structure

HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: length

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <ValidateCertificateResponse xmlns="http://software602.com/secusign/">
      <ValidateCertificateResult>int</ValidateCertificateResult>
      <certificateValidationInfo>
            <psd2Verification>
               <validityCheck>boolean</validityCheck>
               <validityCheckMessage>string</validityCheckMessage>
               <qualifiedCheck>boolean</qualifiedCheck>
               <qualifiedCheckMessage>string</qualifiedCheckMessage>
               <qualifiedCertTypeCheck>boolean</qualifiedCertTypeCheck>
                              <qualifiedCertTypeCheckMessage>string</qualifiedCertTypeCheckMessage>
               <psd2QcStatementCheck>boolean</psd2QcStatementCheck>
               <psd2QcStatementCheckMessage>string</psd2QcStatementCheckMessage>
               <organizationIdentifierCheck>boolean</organizationIdentifierCheck>
               <organizationIdentifierCheckMessage>string</organizationIdentifierCheckMessage>
               <registryCheck>boolean</registryCheck>
               <registryCheckMessage>string</registryCheckMessage>
               <psd2Status>string</psd2Status>
            </psd2Verification>
            <Guid>string</Guid>
            <filename>string</filename>
            <statusIndication>string</statusIndication>
            <statusSubindication>string</statusSubindication>
            <certType>string</certType>
            <qualifiedCertType>string</qualifiedCertType>             <validationMaterial>
               <validationDate>dateTime</validationDate>
               <certificatePath>
                  <certificate xsi:nil="true" />
                     <uid>4a93397eb251 .. d8c4d5301</uid>
                     <issuerUid>d35e250cb0 .. 12b54e3b1f02</issuerUid>
                     <revocationUid>8e5fa57178b5c1b .. 18720beb1310</revocationUid>
                     <isEndCertificate>true</isEndCertificate>
                     <isTrustedAnchor>false</isTrustedAnchor>
                     <notBefore>2019-05-24T11:32:41+02:00</notBefore>
                     <notAfter>2020-05-23T11:32:41+02:00</notAfter>
                     <subject>C=CZ,2.5.4.97=NTRCZ-63078236,O=Software602 a.s. [IČ 63078236],OU=254,CN=Jmeno Prijmeni,SURNAME=Prijmeni,GIVENNAME=Jmeno,SERIALNUMBER=P564111</subject>
                     <issuer>C=CZ,O=Česká pošta\, s.p. [IČ 47114983],CN=PostSignum Qualified CA 3</issuer>
                     <serialNumber>511111</serialNumber>
                     <qcStatements>
                        <qcStatement name="qc-compliance">0.4.0.1862.1.1</qcStatement>
                        <qcStatement name="qc-sscd">0.4.0.1862.1.4</qcStatement>
                        <qcStatement name="qc-pds">0.4.0.1862.1.5</qcStatement>
                        <qcStatement name="qc-type">0.4.0.1862.1.6</qcStatement>
                     </qcStatements>
                     <qcTypes>
                        <qcType name="esign">0.4.0.1862.1.6.1</qcType>
                     </qcTypes>
                     <certType>QUALIFIED</certType>
                     <qualifiedCertType>ESIGN</qualifiedCertType>                      <ordinalNumber>0</ordinalNumber>
                     <isSelfSigned>false</isSelfSigned>
                     <source>SECUSIGN</source>
                     <psd2Data>
                        <record>
                           <registryType>eba</registryType>
                           <code>IE_CBI!C190092</code>
                           <pspId>C190092</pspId>
                           <name>CRIF RealTime Ireland Limited</name>
                           <address>Adelphi plaza, George's Street Upper, Dún Laoghaire</address>
                           <city>Dublin</city>
                           <country>IE</country>
                           <licences>
                              <licence>
                                 <country>CZ</country>
                                 <type>PSD_AISP</type>
                                 <scope>PSP_AI</scope>
                                 <validFrom>2019-05-30T02:00:00+02:00</validFrom>
                                 <validTo>0001-01-01T00:00:00</validTo>
                              </licence>
                           </licences>
                        </record>
                        <psd2>
                           <NCAName>Central Bank of Ireland</NCAName>
                           <NCAId>IE-CBI</NCAId>
                           <rolesOfPsp>
                              <roleOfPsp name="PSP_AI">0.4.0.19495.1.3</roleOfPsp>
                           </rolesOfPsp>
                           <organizationIdentifier>PSDIE-CBI-C190092</organizationIdentifier>
                           <pspIdentifier>C190092</pspIdentifier>
                        </psd2>
                     </psd2Data>
                  </certificate>
                  <certificate xsi:nil="true" />
                     <uid>d35e250cb02e27 .. 54e3b1f02</uid>
                     <issuerUid>ad016f958 .. edddc7d6578</issuerUid>
                     <revocationUid>e7b26c175d3dc6f6 .. e15d485ab5e</revocationUid>
                     <isEndCertificate>false</isEndCertificate>
                     <isTrustedAnchor>false</isTrustedAnchor>
                     <notBefore>2014-03-26T09:01:32+01:00</notBefore>
                     <notAfter>2024-03-26T08:00:36+01:00</notAfter>
                     <subject>C=CZ,O=Česká pošta\, s.p. [IČ 47114983],CN=PostSignum Qualified CA 3</subject>
                     <issuer>C=CZ,O=Česká pošta\, s.p. [IČ 47114983],CN=PostSignum Root QCA 2</issuer>
                     <serialNumber>164</serialNumber>
                     <qcStatements/>
                     <qcTypes/>
                     <serviceTypeUri>http://www.602.cz/TrstSvc/Svctype/QCA_ASC</serviceTypeUri>
                     <ordinalNumber>2</ordinalNumber>
                     <isSelfSigned>true</isSelfSigned>
                     <source>SECUSIGN</source>
                  </certificate>
                  <certificate xsi:nil="true" />
                     <uid>ad016f958050 .. edddc7d6578</uid>
                     <issuerUid>ad016f958050e0 .. dddc7d6578</issuerUid>
                     <isEndCertificate>false</isEndCertificate>
                     <isTrustedAnchor>true</isTrustedAnchor>
                     <notBefore>2010-01-19T09:04:31+01:00</notBefore>
                     <notAfter>2025-01-19T09:04:31+01:00</notAfter>
                     <subject>C=CZ,O=Česká pošta\, s.p. [IČ 47114983],CN=PostSignum Root QCA 2</subject>
                     <issuer>C=CZ,O=Česká pošta\, s.p. [IČ 47114983],CN=PostSignum Root QCA 2</issuer>
                     <serialNumber>100</serialNumber>
                     <qcStatements/>
                     <qcTypes/>
                                       <serviceStatusUri>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted</serviceStatusUri>
                     <serviceTypeUri>http://uri.etsi.org/TrstSvc/Svctype/CA/QC</serviceTypeUri>
                     <ordinalNumber>1</ordinalNumber>
                     <isSelfSigned>false</isSelfSigned>
                     <source>SECUSIGN</source>
                  </certificate>
               </certificatePath>
               <revocations xsi:nil="true" />
                  <revocation>
                     <uid>8e5fa57178 .. 8720beb1310</uid>
                     <type>OCSP</type>
                     <thisUpdate>2019-06-27T11:23:41+02:00</thisUpdate>
                     <nextUpdate xsi:nil="true"/>
                     <producedAt>2019-06-27T11:23:41+02:00</producedAt>
                  </revocation>
                  <revocation>
                     <uid>e7b26c175d3d .. 1e15d485ab5e</uid>
                     <type>CRL</type>
                     <thisUpdate>2018-10-25T09:56:02+02:00</thisUpdate>
                     <nextUpdate>2019-10-25T10:01:02+02:00</nextUpdate>
                     <producedAt xsi:nil="true"/>
                     <source>SECUSIGN</source>
                  </revocation>
                  <revocation>
                     <uid>ea6ce4a9bef17 .. 468f50440ff9</uid>
                     <type>OCSP</type>
                     <thisUpdate>2019-12-18T17:00:35+01:00</thisUpdate>
                     <nextUpdate xsi:nil="true"/>
                     <producedAt>2019-12-18T17:00:35+01:00</producedAt>
                     <source>SECUSIGN</source>                   </revocation>
               </revocations>
            </validationMaterial>
         </certificateValidationInfo>
      <StatusMessage>string</StatusMessage>
    </ValidateCertificateResponse>
  </soap:Body>
</soap:Envelope>

Output parameters of the method

<ValidateCertificateResult>

Return value Description

Int

Result of the ValidateCertificateResult method (certificate validation).

0 = OK, otherwise see Return codes of all methods and error described in StatusMessage.

<psd2Verification>

Returns only when verifying the PSD2 certificate.

<validityCheck>

Return value Description

Boolean

Certificate validity check. The certificate must be valid at the time of verification.

<validityCheckMessage>

Return value Description

String

Returns text information if the certificate validation failed.

<qualifiedCheck>

Return value Description

Boolean

Check that the certificate is qualified.

<qualifiedCheckMessage>

Return value Description

String

Returns text information if the certificate qualification checks failed.

<qualifiedCertTypeCheck>

Return value Description

Boolean

Check that the certificate is intended for sealing (SEAL) or web authentication (WEB).

<qualifiedCertTypeCheckMessage>

Return value Description

String

Returns text information if the certificate type check failed.

<psd2QcStatementCheck>

Return value Description

Boolean

Check that the certificate contains PSD2 QCStatement and it contains the required attributes.

<psd2QcStatementCheckMessage>

Return value Description

String

Returns textual information if the checks for PSD2 QCStatement and the required attribute in the certificate failed.

<organizationIdentifierCheck>

Return value Description

Boolean

Check that the certificate contains the organizationIdentifier attribute and that it is in the correct format.

<organizationIdentifierCheckMessage>

Return value Description

String

Returns textual information if the checks for organizationationIdentifier attribute and format correctness failed.

<registryCheck>

Return value Description

Boolean

Check the registry entry. A valid entry for the payment service provider has been found in the register and this entry contains valid licenses for the activities in question. These must also be stated in the certificate.

<registryCheckMessage>

Return value Description

String

Returns textual information if the registry entry check failed.
<validLicensesCheck>
Return value Description

Boolean

Checking the validity of the requested license. This check tells you whether the activities are active for the country.

In the query, it is possible to specify the activity for which the validity is checked (Psd2Scope) and the country in which the validity is checked (Psd2Country). If not specified, all activities listed in the certificate for the country of origin (cz - Czech Republic) are checked.

Possible values:

  • PSP_AS - account servicing.

  • PSP_PI - payment initiation.

  • PSP_AI - account information.

  • PSP_IC - issuance of card means of payment.

<validLicensesCheckMessage>

Return value Description

String

It contains any additional information on checking the validity of the requested license (in Czech language).

<psd2Status>

Return value Description

String

Verify PSD2 status for the certificate. The result can take the following values:

  • QWAC - a qualified authentication certificate for a website that complies with PSD2.

  • QsealC - a qualified sealing certificate for the website that complies with PSD2

  • FAIL - if any of the conditions are not met.

</psd2Verification>

<Guid>

Return value Description

String

Unique ID of the given certificate validation method call.

<filename>

Return value Description

String

Name of file with the certificate to be validated. Max. 260 characters.

<statusIndication>

Return value Description

String

Resulting status (indication) of certificate validation. It may be one of the following values:

  • VALID – the certificate is assessed to be valid.

  • INDETERMINATE – the certificate status cannot be determined right now.

  • INVALID – the certificate is assessed to be invalid.

<statusSubindication>

Return value Description

String

Supplementary status (indication) of certificate validation. It may be one of the following values:

  • OK – the certificate is assessed to be valid.

  • EXPIRED – the validated certificate was expired (invalid) at the time of validation.

  • NO_CERTIFICATE_CHAIN_FOUND – the certificate issuer’s certification path cannot be composed.

  • REVOKED – the certificate has been revoked.

  • FORMAT_FAILURE – there is an error in the format of certificate input data.

<certType>

Return value Description

String

Type of validated certificate. It may be one of the following values:

  • UNKNOWN – unknown certificate (the path has not been composed and the type cannot be determined).

  • QUALIFIED – qualified certificate.

  • COMMERCIAL – commercial certificate.

  • INTERNAL_STORAGE – certificate from an internal storage (a certification path from a trusted store has been composed, but the type cannot be determined).

  • INTERNAL - certificate of a selected private certification authority, which is marked as internal.

  • SYSTEM - system certificate issued pursuant to Czech Act 227/2000 Coll.

  • TEST - certificate of the selected private certification authority, which is marked as testing.

<qualifiedCertType>

Return value Description

String

Type of qualified certificate, it is only returned in this case. It may be one of the following values:

  • ESIGN – electronic signature certificate.

  • ESEAL – electronic seal certificate.

  • WEB – certificate for web/service authentication.

  • UNKNOWN – unknown certificate (cannot be determined).

<validationMaterial>

<validationDate>

Return value Description

dateTime

Date as of which the certificate was validated.

<certificatePath>

Certification path from the validated end certificate to the root certificate.

<certificate>

<certType>

Return value Description

String

Type of validated certificate. It may be one of the following values:

  • QUALIFIED – qualified certificate.

  • COMMERCIAL – commercial certificate.

  • INTERNAL_STORAGE – certificate from an internal storage (a certification path from a trusted store has been composed, but the type cannot be determined).

  • UNKNOWN – unknown certificate (the path has not been composed and the type cannot be determined).

<qualifiedCertType>

Return value Description

String

Type of qualified certificate, it is only returned in this case. It may be one of the following values:

  • ESIGN – electronic signature certificate.

  • ESEAL – electronic seal certificate.

  • WEB – certificate for web/service authentication.

  • UNKNOWN – unknown certificate (cannot be determined).

<ServiceStatusUri>

Return value Description

String

Contains the whole Uri specifying the authority’s service status on TSL, e.g., http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted.

<ServiceTypeUri>

Return value Description

String

Contains the whole Uri specifying the authority’s service type on TSL, e.g., http://uri.etsi.org/TrstSvc/Svctype/CA/QC.

<ordinalNumber>

Return value Description

String

Certificate order number in the anchor hierarchy to the root certificate of the issuing certification authority. May be one of the following values (0 from the end certificate up to N):

  • 0 – end.

  • 1 – intermediate.

  • 2 – may be intermediate or root.

  • 3 …

<isSelfSigned>

Return value Description

Boolean

Specifies whether the certificate is self-signed. Can be false/true

True is returned e.g., for a root certificate.

<source>

Return value Description

String

Specifies a trusted store source against which the certificate was validated. It may be one of the following values:

  • SECUSIGN – SecuSign service backend servers.

  • LOCAL_STORAGE – internal certificate store on the client’s SecuSign SDK server.

<uid>

Return value Description

String

Unique identifier of the validated certificate. It is an SHA 256 hash of the certificate.

<issuerUid>

Return value Description

String

Unique identifier of the validated certificate’s issuer. It is an SHA 256 hash of the certificate.

<revocationUid>

Return value Description

String

Unique identifier of revocation data acquired for the validated certificate. It is an SHA 256 hash of the revocation data.

<isEndCertificate>

Return value Description

Boolean

Specifies whether it is an end certificate.

<isTrustedAnchor>

Return value Description

Boolean

Specifies whether it is a trust anchor (to the root certificate).

<notBefore>

Return value Description

dateTime

Date and time of the certificate validity start.

<notAfter>

Return value Description

dateTime

Date and time of the certificate validity end.

<subject>

Return value Description

String

Details from the certificate attribute Subject, e.g.:

  • CN = Common Name.

  • GN = Given Name.

  • SN = Surname.

  • SERIALNUMBER = Serial number.

  • C = Country.

  • L = Locality.

  • E = E-mail.

  • O = Organization.

  • OU = Organizational unit.

  • Pseudonyme = pseudonym.

<issuer>

Return value Description

String

Complete details of the certificate issuer from the Issuer attribute.

<serialNumber>

Return value Description

String

Serial number of the validated certificate (in decimal form).

<qcStatements>

<qcStatement>
Return value Description

String

Qualified certificate issuer’s statement as OID. May be e.g., the following values:

  • 0.4.0.1862.1.1 = qc-compliance (European qualified certificate).

  • 0.4.0.1862.1.4 = qc-sscd (The certificate is stored on a qualified device (QSCD) in compliance with eIDAS - Regulation no. 910/2019 of the European Parliament and of the Council (EU)).

  • 0.4.0.1862.1.5 = qc-pds (Message for the user).

  • 0.4.0.1862.1.6 = qc-type (Certificate type).

</qcStatements>

<qcTypes>

<qcType>
Return value Description

String

Type of signature/seal/timestamp certificate according to eIDAS, only for QUALIFIED and LEGACY certificate types. May be e.g., the following values:

  • 0.4.0.1862.1.6.1 = Certificate for electronic signature in compliance with eIDAS - Regulation no. 910/2014 of the European Parliament and of the Council (EU).

  • 0.4.0.1862.1.6.2 = Certificate for electronic seal in compliance with eIDAS - Regulation no. 910/2014 of the European Parliament and of the Council (EU).

  • 0.4.0.1862.1.6.3 = Certificate for website authentication in compliance with eIDAS - Regulation no. 910/2014 of the European Parliament and of the Council (EU).

</qcTypes>

</certificate>

</certificatePath>

<revocations>

<revocation>

<uid>
Return value Description

String

Unique identifier of revocation data acquired for the validated certificate. It is an SHA 256 hash of the revocation data.
<type>
Return value Description

String

Type of acquired revocation data. Values: OCSP, CRL.
<thisUpdate>
Return value Description

dateTime

Start of validity (issue date and time) for the acquired revocation data.
<nextUpdate>
Return value Description

dateTime

Issue date and time for the next revocation data.
<producedAt>
Return value Description

dateTime

Date and time when OCSP responder signed the OCSP response.
<source>
Return value Description

String

Specifies a trusted store source for the acquired validation data. It may be one of the following values:

  • SECUSIGN – SecuSign service backend servers.

  • INTERNAL_STORAGE – internal certificate store on the client’s SecuSign SDK server.

</revocations>

</validationMaterial>

</certificateValidationInfo>

<StatusMessage>

Return value Description

String

If there is an error, contains textual information with result details, e.g.:

  • Signing certificate expired on Sat May 16 14:02:30 CEST 2015.

  • Certificate has been revoked on Fri Jun 29 13:19:27 CEST 2018.

  • Code 9999: cz.software602.sdar.common.SdarException: Cannot find issuer 'ACAeID3.1 - Issuing Certificate' in 'c:\CertificateStore\.. '