Data Sheet: Axway Validation Authority (VA) Suite

PKI safeguards for secure applications

System Specifications

View Full Specs

Ready to learn more about what Axway can do for your business?

Let’s talk.


Your email will not be shared or sold to a third party. Axway respects your privacy.

Around the world, banks, healthcare organizations, governments, and defense agencies rely on public key infrastructures (PKIs) to secure everything from enterprise networks, to multi-million dollar electronic transactions, to military facilities. Within these PKI environments, protecting high-value assets — whether they are product plans, financial data, patient records, or physical locations — requires both vigilance and diligence.

Axway Validation Authority (VA) Suite offers a comprehensive, scalable, and reliable framework for real-time validation of digital certificates and access permissions within PKI environments. VA Suite is Certificate Authority (CA)-neutral and provides support for multiple CAs, several different trust models, and CA-specific validation policies.

Axway VA Suite is:

  • Vigilant in determining whether people are who they say they are, and if their digital certificates are valid and current
  • Diligent in verifying which secure applications, networks, and locations the owner of a valid digital certificate is authorized to access at any given point in time

Key Features & Benefits

Flexible and robust certificate validation

Axway Identity Validation Suite is CA-neutral and supports all widely adopted international security standards and open technologies

  • ƒƒCertified to meet Common Criteria (EAL 3), FIPS 201, NIST PDVAL, FIPS 140-2, and DoD JITC standards ƒƒ
  • OCSP and SCVP compliant (RFC 2560, RFC 5055) ƒƒ
  • Entrust-ready and IdenTrust-compliant ƒƒ
  • Part of the IdenTrust, SWIFT Trust Act, BACS, and Global Trust Authority financial trust infrastructures ƒƒ
  • Interoperable with leading cryptographic hardware, including products certified to FIPS 140-2 Level 3 and 4, as well as smart cards such as the DoD Common Access Card and the Federal Personal Identity Verification Card or national eID-card

Validation Authority Server

A high-performance multi-platform server that processes client digital certificate status queries using a variety of protocols, including OCSP, SCVP, CMP, and VACRL

Server Validator

A flexible client application for validating digital certificates from the most widely used secure Web servers and Web application servers

Desktop Validator

A flexible client application that enables Microsoft Windows-based desktop and server applications to validate digital certificates via the Microsoft Cryptographic API (CAPI)

Validator Toolkits

A complete set of certificate validation functions, source code examples, and reference manuals that enables certificate validation integration into commercial or custom applications developed in C/C++ or Java

Next-Generation Certificate Validation

Identifying invalid or revoked digital certificates is just the tip of the PKI iceberg. Beneath the surface, a secure PKI also needs to: ƒƒ

  • Know which applications and/or network locations a user is authorized to accessƒƒ
  • Enforce level of access and any enterprise policies that apply to the user's account
  • Federate the user's physical access rights across multiple buildings and/or geographic locations
  • Provide visibility into the “what, where, and when” of each and every instance of the user's physical and logical access 
    Axway VA Suite’s Server-based Certificate Validation Protocol (SCVP) technologies enables applications to delegate both revocation-checking and path validation to a trusted server in a single request.

    SCVP enables harvesting of an entity’s credential for the full range of access rights, crossvalidated across multiple certificate chains by highly accredited certification issuers.

Axway VA Suite

The most widely deployed validator of digital certificates

Axway VA Suite consists of several components that provide a flexible and robust certificate validation solution for both standard and custom desktop and server applications. These components may be used together or, leveraging open standards, integrated with existing solutions using OCSP or SCVP (RFC 5055).

With support for caching and replication of revocation data regardless of format, VA Suite enables cost-effective scalability across a wide range of operational environments, including hardware-software appliance and Java-based solutions for distributed or hosted environments.

VA Server

VA Server Key Features & Benefits

VA-to-VA mirroring (replication) ƒ

  • Supports backup, load balancing, and failover by replicating the same certificate revocation data across a cluster of VA Servers

Distributed repeater-responder caching

  • Maintains a cache loaded with OCSP responses that are pre-computed or dynamically built up by proxy client requests to a responder ƒƒ
  • Supports non-OCSP clients or clients that want to maintain their own revocation data caches for backup and in low-bandwidth and non real-time environments

Robust security and non-repudiation

  • Supports SSL-based communications with clients, digitally signed client requests/responses, and digitally signed XML logs and CRL archives, as well as SSL-based server administration ƒƒ
  • Supports software, PKCS #11, and CAPI token-based hardware signing and encryption products from all leading vendors

VA Server Validator

VA Server Validator is a flexible client application that enables digital certificate validation on the most widely used secure Web and application servers available on UNIX, Windows, and Apple platforms, including: ƒƒ

  • Apache ƒƒ
  • Oracle Application Server ƒƒ
  • Red Hat Strong Hold ƒƒ
  • BEA WebLogic ƒƒ
  • IBM Lotus Domino

VA Server Validator utilizes the native interfaces of these Web and application servers to add digital certificate validation functionality as part of the product’s PKI-based client authentication. Working as a plug-in, VA Server Validator can query a VA Server (or any other standards-based digital certificate validation responder) or utilize a CRL to determine the status of a digital certificate presented by a client. Clients with revoked or expired certificates are denied access to the server or application.

VA Desktop Validator

VA Desktop Validator is a flexible client solution that enables digital certificate validation in the most commonly used Microsoft Windows-based desktop and server applications. VA Desktop Validator integrates seamlessly with any Microsoft Cryptographic API (CAPI)- compliant client or server application:

  • Validates digital certificates encountered by PKI-enabled Windows applications via CRL lookups or standard protocol queries to a VA Server or other OCSP or SCVP standardsbased responder
  • Is highly available and can be remotely installed, configured, and maintained using applications such as Microsoft SMS, CA Unicenter or Microsoft Active Directoryƒƒ
  • Supports single sign-on applications based on digital certificates stored on smart cards such as the DoD Common Access Card
  • Enables secure workflow applications based on digitally signed documents and secure email (S/MIME) messages

Server Validator & Desktop Validator Key Features & Benefits

Robust security and non-repudiation

  • Processes CRL data from multiple CA or VA sources to support complex trust models and certificate policy controls for path processing and policy enforcement
  • Performs end-to-end certificate validation if one or more intermediate CAs are used and the validation policy requires a complete certificate chain validation ƒ
  • Communicates securely with VA Server utilizing SSL/TLS, and digitally signs requests to the VA Server for deployments that require a high degree of auditability and non-repudiation ƒ
  • Supports cryptographic hardware via the standard PKCS #11 interface, including FIPS 140-2 Level 3 and 4, which can be used to accelerate digital signing and SSL/TLS operations

Separate, configurable validation caches

  • In-memory repository of all certificate validation requests, regardless of the validation mechanism ƒƒ
  • Disk-resident CRL repository ƒƒ
  • Improves performance and increases reliability in environments where the underlying network is not always available. ƒƒ
  • Robust failover mechanism supports multiple sources of revocation information, including multiple VA Servers

Automatic configuration

  • Supports automatic configuration using parameters obtained from the VA Server if the Web or application server supports auto-configuration ƒƒ
  • Facilitates large-scale application deployments

VA Repeater and Responder Appliances

VA Server Appliances are hardware-software appliance solutions that can be installed in less than 30 minutes, and deliver the lowest total cost of ownership for distributed computing environments.

VA Validator Toolkits

VA Validator Toolkits provides a complete set of certificate validation functions, source code examples and reference manuals. The VA Validator Toolkits can save development time and money for commercial or custom PKI-enabled applications, such as network and handheld devices, physical security systems and workflow applications. 

The VA Validator Toolkits encapsulates the complexities of PKI digital certificate validation in a three-step process that developers can implement through easyto-
understand C/C++ and Java interfaces. The VA Validator Toolkit for C/C++ is certified DOD JITC, IdenTrust and FIPS 140-2 Level 1 compliant. These credentials save organizations the time and cost of additional testing and certification. The Validator Java Toolkit uses third-party Java security providers to execute cryptographic functions.


  • Standards Support: OCSP (RFC 2560), IPv6 and IPv4, SCVP (RFC 5055), SSL 3.0, TLS 1.0, X509v3 digital certificate format, CRLv2 and delta CRL revocation data, LDAP(S), FTP, HTTP(S) CRL retrieval, SNMP and HTTPS administration, RSA PKCS#1,#7,#10,#11
  • SHA-1, SHA-256. SHA-512 and MD5, Microsoft Cryptographic API, ECC prime 256,384, ECCDSA
  • Platforms (64-bit support): Sun Solaris 10, Red Hat Linux 5, 6, Axway Appliance (Windows and Linux), Windows 2003, 2008, 2012, XP,Vista and Windows 7
  • Cryptographic Hardware (FIPS 140-2 Levels 2, 3 &4): Thales, SafeNet, AEP Networks
  • Load Balancers: Cisco CSS and CSM, Foundry BigIron, F5 Big IP, Resonate Dispatch