AM 7.5.0

Certificate Validation node

The Certificate Validation node validates a digital X.509 certificate collected by the Certificate Collector node.


Product Compatible?

ForgeRock Identity Cloud


ForgeRock Access Management (self-managed)


ForgeRock Identity Platform (self-managed)



This node requires an X509Certificate property in the incoming node state.

Implement the Certificate Collector node as input to the Certificate Validation node.


Property Usage

Match Certificate in LDAP

When enabled, AM matches the certificate collected with the one stored in an LDAP directory entry. You define the name of this entry and additional security-related properties later in the node configuration.

Default: Disabled

Check Certificate Expiration

When enabled, AM checks whether the provided certificate has expired.

Default: Disabled

Subject DN Attribute Used to Search LDAP for Certificates

The attribute that AM uses to search the LDAP directory for the certificate. The search filter is based on this attribute and the value of the Subject DN as it appears in the certificate.

Default: CN

Match Certificate to CRL

When enabled, AM checks whether the certificate has been revoked according to a Certificate Revocation List (CRL) in the LDAP directory. Define related CRL properties later in the node configuration.

Default: Disabled.

Issuer DN Attribute(s) Used to Search LDAP for CRLs

The name of the attribute or attributes in the issuer certificate that AM uses to locate the CRL in the LDAP directory.

  • If you specify only one attribute here, the LDAP search filter used is (attr-name=attr-value-in-subject-DN).

    For example, if the subject DN of the issuer certificate is C=US, CN=Some CA, serialNumber=123456, and the attribute specified is CN, then AM uses a search filter of (CN=Some CA) to locate the CRL.

  • Specify several CRLs for the same CA issuer in a comma-separated list (,) where the names are in the same order in which they appear in the subject DN.

    In this case, the LDAP search filter used is (attr1=attr1-value-in-subject-DN,attr2=attr2-value-in-subject-DN,…​), and so on.

    For example, if the subject DN of the issuer certificate is C=US, CN=Some CA, serialNumber=123456, and the attributes specified are CN,serialNumber, then the LDAP search filter used to find the CRL is (CN=Some CA,serialNumber=123456).

Default: CN

HTTP Parameters for CRL Update

Parameters that AM includes in any HTTP CRL call to the CA that issued the certificate.

If the client or CA certificate includes the IssuingDistributionPoint extension, AM uses this information to retrieve the CRL from the distribution point.

Add the parameters as key-value pairs in a comma-separated list (,). For example, param1=value1,param2=value2.

Cache CRLs in Memory

When enabled, AM caches CRLs in memory.

If this option is enabled, Update CA CRLs from CRLDistributionPoint must also be enabled.

Default: Enabled

Update CA CRLs from CRLDistributionPoint

When enabled, AM fetches new CA CRLs from the CRL Distribution Point and updates them in the LDAP directory. If the CA certificate includes either the IssuingDistributionPoint or the CRLDistributionPoint extensions, AM attempts to update the CRLs when they’re out of date.

Default: Enabled

OCSP Validation

When enabled, AM checks the validity of certificates using the Online Certificate Status Protocol (OCSP).

The AM instance must have internet access, and you must configure OSCP for AM under Configure > Server Defaults > Security > Online Certificate Status Protocol Check.

Default: Disabled

LDAP Server Where Certificates are Stored

The LDAP server that holds certificates. Enter the server details in the format ldap-server:port .

To associate multiple AM servers in a site with corresponding LDAP servers, use the format `am_server

ldapserver:_port_`. For example,|

LDAP Search Start or Base DN

Valid base DN for the LDAP search, such as dc=example,dc=com. To associate AM servers with different search base DNs, use the format am_server|base_dn. For example,|dc=example,dc=com|dc=test,dc=com.

LDAP Server Authentication User and LDAP Server Authentication Password

The credentials used to connect to the LDAP directory that holds the certificates.

If you enable mTLS, the node ignores these credentials.

Default Authentication User: cn=Directory Manager

mTLS Enabled

Enables mTLS (mutual TLS) between AM and the directory server.

When mTLS is enabled, the node ignores the values for LDAP Server Authentication User and LDAP Server Authentication Password.

If you enable this property, you must:

  • Enable Use SSL/TLS for LDAP Access.

  • Provide an mTLS Secret Label Identifier.

Default: Disabled

mTLS Secret Label Identifier

An identifier used to create a secret label for mapping to the mTLS certificate in the secret store. AM uses this identifier to create a specific secret label for this node. The secret label takes the form am.authentication.nodes.certificate.validation.mtls.identifier.cert , where identifier is the value of mTLS Secret Label Identifier. The label can only contain alphanumeric characters (a-z, A-Z, 0-9) and periods (.). It can’t start or end with a period.

For greater security, you should rotate certificates periodically. When you rotate a certificate, update the corresponding mapping in the realm secret store configuration to reflect this identifier. When you rotate a certificate, AM closes any existing connections using the old certificate. A new connection is selected from the connection pool and no server restart is required.

Use SSL/TLS for LDAP Access


This node doesn’t put anything into the shared state.



The node could validate the certificate.

When the outcome is True, add a Certificate User Extractor node to extract the values of the certificate.


The node couldn’t validate the certificate. The journey follows this path when the node can’t validate the certificate and no more specific outcome is available.

Not found

The Match Certificate in LDAP property is enabled, but the certificate wasn’t found in the LDAP store.


The Check Certificate Expiration property is enabled, and the certificate has expired.

Path Validation Failed

The Match Certificate to CRL property is enabled, and the certificate path is invalid.


The OCSP Validation property is enabled, and the certificate has been revoked.


The following is an example of how to use the certificate nodes in a ForgeRock Identity Platform authentication journey. Note that all the failure outcomes of the Certificate Validation node are linked so that the user provides a username and password, but you could choose different authentication methods for each outcome:

The Certificate Validation authentication node in context
Copyright © 2010-2024 ForgeRock, all rights reserved.