Add a check for server and CA certificates in device policies to the ONC validator.

chromeos/docs/onc_spec.html

 <!DOCTYPE html>
 <html>
 <head>
   <meta charset="utf-8">
   <link rel="stylesheet" href="onc_spec.css" >
   <script src="onc_spec.js"></script>
   <title>Open Network Configuration Format</title>
 </head>
 <body>
 
@@ skipping 101 matching lines @@
 
 <section>
   <h1>GUIDs and Updating</h1>
   <p>
     This format allows for importing updated network configurations and
     certificates by providing GUIDs to each network configuration and
     certificate so they can be modified or even removed in future updates.
   </p>
 
   <p>
-    GUIDs are meant to be stable and unique. When they refer to the same entity,
-    they should be the same between ONC files. No two different networks or
-    certificates should have the same GUID, similarly a network and certificate
-    should not have the same GUID. A single ONC file should not contain the same
-    entity twice (with the same GUID). Failing any of these tests indicates the
-    ONC file is not valid.
+    GUIDs are non-empty strings that are meant to be stable and unique. When
+    they refer to the same entity, they should be the same between ONC files. No
+    two different networks or certificates should have the same GUID, similarly
+    a network and certificate should not have the same GUID. A single ONC file
+    should not contain the same entity twice (with the same GUID). Failing any
+    of these tests indicates the ONC file is not valid.
   </p>
 
   <p>
     Any GUID referred to in an ONC file must be present in the same ONC file. In
     particular, it is an error to create a certificate in one ONC file and refer
     to it in a NetworkConfiguration in another ONC file and not define it there,
     even if the previous ONC file has been imported.
   </p>
 </section>
 
@@ skipping 100 matching lines @@
       </span>
       Ethernet settings.
     </dd>
 
     <dt class="field">GUID</dt>
     <dd>
       <span class="field_meta">
         (required)
         <span class="type">string</span>
       </span>
-      a unique identifier for this network connection, which exists to make it
-      possible to update previously imported configurations
+      A unique identifier for this network connection, which exists to make it
+      possible to update previously imported configurations. Must be a non-empty
+      string.
     </dd>
 
     <dt class="field">IPConfigs</dt>
     <dd>
       <span class="field_meta">
         (optional if <span class="field">Remove</span> is
         <span class="value">false</span>, otherwise ignored)
         <span class="type">array of IPConfig</span>
       </span>
       Static IPv4 or IPv6 parameters to associate with this connection.
@@ skipping 1309 matching lines @@
     The <span class="type">Certificate</span> type contains the following:
   </p>
 
   <dl class="field_list">
     <dt class="field">GUID</dt>
     <dd>
       <span class="field_meta">
         (required)
         <span class="type">string</span>
       </span>
-      unique identification for certificate
+      A unique identifier for this certificate. Must be a non-empty string.
     </dd>
 
     <dt class="field">PKCS12</dt>
     <dd>
       <span class="field_meta">
         (required if <span class="field">Type</span> is
         <span class="value">Client</span>, otherwise ignored)
         <span class="type">string</span>
       </span> For certificates with
       private keys, this is the base64 encoding of the a PKCS#12 file.
@@ skipping 480 matching lines @@
     is transmitted or saved to disk should be secure. On client device, when
     user names for connections that are user-specific are persisted to disk,
     they should be stored in a location that is encrypted. Users can also opt in
     these cases to not save their user credentials in the config file and will
     instead be prompted when they are needed.
   </p>
 </section>
 </section>
 </body>
 </html>