RFC-5280 (Section 6) specifies the algorithm for validating a certification path, which typically assumes a coherent, ordered chain from the end-entity certificate to a trusted root. When a legacy PKI solution does not adhere to this standard, it may present the certificates in the chain out of order. The "Validate disordered certificate chains" option in PingAccess is specifically designed to address this issue. When enabled, PingAccess will attempt to reorder the provided certificates to build a valid path to a trusted certificate authority, thereby accommodating the non-compliant behavior of the legacy system.

A. Use Java Trust Store: This option supplements the configured trust group with CAs from the JVM's default trust store; it does not alter the logic for validating the order of a certificate chain.

C. Skip Certificate Date Check: This option bypasses the notBefore and notAfter validity checks on a certificate, which is unrelated to the structural validation of the certificate path itself.

D. Deny when unable to determine revocation status: This setting controls behavior related to certificate revocation checking (CRL/OCSP), which is a separate process from the initial path construction and validation.

1. Ping Identity PingAccess 7.3 Documentation:

Source: PingAccess Administrator Guide > Configuring PingAccess > Configuring Trusted Certificate Groups.

Reference: In the "Trusted Certificate Group Fields" table, the description for Validate disordered certificate chains states: "Select this check box to allow PingAccess to validate certificate chains that are not in the correct order. This option is useful when working with older systems that do not order certificate chains correctly." This directly addresses the scenario of a legacy system not adhering to standard chain presentation.