Showing results for 
Search instead for 
Did you mean: 

Machine Certificate validation via HostCheck

Occasional Contributor

Machine Certificate validation via HostCheck

Does anyone know what the hostcheck does as far as validating a Windows Machine certificate?


Does it check the CRL?

Does it validate the private key?



Thanks for any information.

Valued Contributor

Re: Machine Certificate validation via HostCheck

Yes it can check the CRL (if CRL checking is configured) and it checks the key against a trusted cert authority certificte that you load into the box under "System / Configuration / Certificates / Trusted Client CAs"


Occasional Contributor

ÿ"Re: Machine Certificate validation via HostCheck"

In the restriction parameters of a realm or a role you can choose certificates and/or host checker policies directed to cert checks, but:


The check for the CRL is not configured there but at the layer system -> configuration -> Certificates -> trusted client CAs


There you define for a specific Certificate Authority (CA) if you want to check the CRL, or to use the OSC-Protocol (OSCP) to check online the validity of a cert, or to do no checks at all about the validity of the cert when a client presents its client cert.

The check to use a crl or not can so far only be decided at this layer but not at the layer of the concrete hc policy itself. This is at least my understanding of the software mechanism in place with Juniper.


The  "validation of the private key" is always done with every authentication mechanism using certificates on every "real" product from any vendor. Otherwise it would make no sense. The certificate contains only the public key and is spread "all over the world". When someone presents this cert to gain entrance to some secure area, he must have the private key to solve a cryptographic challenge the guard is presenting to him. So the correct answering of this cryptographic challenge is the "validation of the private key": I - and hopefully only I - have it.


regards, William



Respected Contributor

Re: Machine Certificate validation via HostCheck

private key validation based on root CA