Configuration of the Validation Tool is covered in the sections Certificate Checks and OCSP Checks, and the table Available Checks lists all available Validation Tool checks.

Certificate Checks

The certificate check tool is run with one certificate checks configuration file. The file points out one template certificate to compare the certificates against as well as lists all checks to perform and their properties.

Sample Certificate check configuration:

template.file=template1.pem
 
checks=\
    CertCheck_Certificate_identical,\
    CertCheck_Signature_algorithmEquals,\
    CertCheck_SubjectDNComponents_required,\
    CertCheck_SubjectDNComponents_allowed,\
    CertCheck_IssuerDNComponents_specified,\
    CertCheck_ValidityNotAfter_minRemaining,\
    CertCheck_Extensions_identical
 
checks.CertCheck_Certificate_identical.dynamicfields=\
    serialNumber,\
    signature,\
    issuer,\
    validity,\
    subject,\
    subjectPublicKeyInfo,\
    extensions
 
checks.CertCheck_SubjectDNComponents_required.components=CN,O
checks.CertCheck_SubjectDNComponents_allowed.components=CN,O,L,ST,C
 
checks.CertCheck_IssuerDNComponents_specified.dnparts=O\=PrimeKey Solutions AB,C\=SE
checks.CertCheck_ValidityNotAfter_minRemaining.hours=24
checks.CertCheck_Extensions_identical.oids=\
    2.5.29.37,\
    2.5.29.14

Each check is listed in the "checks" property separated by a comma sign. Properties for the checks (if required) are added in properties of the form checks.CHECKNAME.PROPERTYNAME=VALUE where CHECKNAME is the name of the check as it is written in the checks list and PROPERTYNAME is the name of a property the check is expecting. Checks might require 0 or more properties. The tool will exit with an error message if not all required properties are specified.

OCSP Checks

The OCSP check tool can be feed with one or more CA configuration files. Each CA configuration file represents one CA issuing OCSP responder certificates. It defines a set of queries to send to the OCSP responders as well as lists all checks to perform and their properties.

Sample OCPS checks CA configuration:

ca.issuercertificatefile=myca1.crt
ca.usenonce=true
 
ca.queries=revoked1,unknown1,good1
ca.queries.revoked1.serialnumber=0x70A81ED6E6339EDC
ca.queries.revoked1.expectedstatus=revoked
ca.queries.revoked1.signersubjectdn=CN\=OCSPSigner1 MyCA1,OU=The Unit,O=The organization,L=Stockholm,C=SE
 
ca.queries.unknown1.serialnumber=0x47114711
ca.queries.unknown1.expectedstatus=unknown
ca.queries.unknown1.signersubjectdn=CN\=OCSPSigner1 MyCA1,OU=The Unit,O=The organization,L=Stockholm,C=SE
 
ca.queries.good1.serialnumber=0x168794FBD471C7FC
ca.queries.good1.expectedstatus=good
ca.queries.good1.signersubjectdn=CN\=OCSPSigner1 MyCA1,OU=The Unit,O=The organization,L=Stockholm,C=SE
 
ca.checks=\
    OcspCheck_ExpectedSigner,\
    OcspCheck_ExpectedStatus,\
    OcspCheck_Response_time,\
    OcspCheck_Response_verify,\
    OcspCheck_Nonce,\
    OcspCheck_Extensions_required,\
    OcspCheck_Extensions_allowed,\
    OcspCheck_CertificateChain,\
    OcspCheck_SignerCertificate
 
ca.checks.OcspCheck_Response_time.maxtime=500
ca.checks.OcspCheck_SignerCertificate.includeconfigurationfile=certchecks1.properties
ca.checks.OcspCheck_Extensions_allowed.allowedoids=1.3.6.1.5.5.7.48.1.2
ca.checks.OcspCheck_Extensions_required.requiredoids=

This example defines three queries to send, one with each OCSP response status - good, revoked or unknown for different certificate serial numbers. The idea is to configure the queries to be for certificate which are known to have a particular status in the CA database. The OCSP responder (signer) subject DN for the expected responder answering the request is also configured. Only responses from the expected responder is further examined. This could be particular useful if running queries against a load balancer or a virtual IP (VIP) with multiple responders behind and one wants to be sure that each responder is tested.

The ca.usenonce property determines if a nonce should be included or not when sending the queries. Default is to send a nonce (ca.usenonce=true).

Note in this example that the check called OcspCheck_SignerCertificate is using a certificate checks configuration file (as described in previous section) and will also run all checks configured in that one against the responder certificate.

Available Checks

The following table lists all available Validation Tool checks.

Certificate checks
CertCheck_Certificate_identical	Compares the certificate with the template except for the certificate fields declared in the 'dynamicfields' set. Unless the certificates should match exactly, multiple certificate fields would probably have to be added to the list. Sample failure: `Expected: Identical values` `for` `the fields: [version, serialNumber, issuer, validity, issuerUniqueID, subjectUniqueID]` `Actual: Different values` `for` `the fields: [serialNumber, issuer, validity]` `Details:` `serialNumber expected:` `0x7d982c66a57c3430` `serialNumber actual:` `0x4d69e649072cc0d8` `issuer expected: C=SE, O=EJBCA Sample, CN=ManagementCA` `issuer actual: C=SE, O=EJBCA Support, CN=MyCA1` `validity expected: [Sat Jun` `03` `17:33:39` `CEST` `2006, Fri May` `29` `17:43:39` `CEST` `2026]` `validity actual: [Wed Jul` `04` `20:04:07` `CEST` `2012, Sat Jul` `02` `20:04:07` `CEST` `2022]`
CertCheck_SubjectDNComponents_required	Checks that sampled certificate contains the required DN fields Sample failure: `Expected: At least [L, O, CN]` `Actual: [O, CN]` `Details:`
CertCheck_IssuerDNComponents_required	Checks that sampled certificate contains the required DN fields Sample failure: `Expected: At least [L, O, CN]` `Actual: [O, CN]` `Details:`
CertCheck_SubjectDNComponents_allowed	Checks that sampled certified does not contain any other DN components than the allowed Sample failure: `Expected: Any number of [O, CN]` `Actual: [L, O, CN]` `Details:`
CertCheck_IssuerDNComponents_allowed	Checks that sampled certified does not contain any other DN components than the allowed Sample failure: `Expected: Any number of [O, CN]` `Actual: [L, O, CN]` `Details:`
CertCheck_SubjectDNComponents_specified	Checks that the DN parts in the certificate are as the values specified in the configuration if they exists in the certificate.If a component specified in the configuration exists in the certificate it must have the same value(s) as specified. Sample failure: `Expected: the following to be as specified [C, O]` `Actual: was different [C, O]` `Details: [C=[SE],[NO], O=[PrimeKey],[CESeCore]]`
CertCheck_IssuerDNComponents_specified	Checks that the DN parts in the certificate are as the values specified in the configuration if they exists in the certificate.If a component specified in the configuration exists in the certificate it must have the same value(s) as specified. Sample failure: `Expected: the following to be as specified [C, O]` `Actual: was different [O]` `Details: [O=[PrimeKey],[CESeCore]]`
CertCheck_SubjectDNComponents_identical	Compares the values of the DN components configured to be identical.The same number of each component and with the same value(s) as in the template must exist in the certificate. Sample failure: `Expected: the following to be identical [ST, C, L]` `Actual: was different [ST]` `Details: [ST=[Sweden],[Norway]]`
CertCheck_IssuerDNComponents_identical	Compares the values of the DN components configured to be identical. The same number of each component and with the same value(s) as in the template must exist in the certificate. Sample failure: `Expected: the following to be identical [ST, C, L]` `Actual: was different [C]` `Details: [C=[SE],[NO]]`
CertCheck_SubjectDNOrder_specified	Checks that those DN components that are given in the configuration and are present in the certificate are in the right order. Any additional DN components in the certificate or in the configuration are ignored. Sample failure: `Expected: the following components to be in the` `this` `order [CN, O, C]` `Actual: [C, O, CN]` `Details: [O was not supposed to be before C]`
CertCheck_IssuerDNOrder_specified	Checks that those DN components that are given in the configuration and are present in the certificate are in the right order. Any additional DN components in the certificate or in the configuration are ignored. Sample failure: `Expected: the following components to be in the` `this` `order [CN, O, C]` `Actual: [C, CN, O]` `Details: [CN was not supposed to be before C]`
CertCheck_ValidityNotAfter_minRemaining	Checks that the notAfter date is at least the specified number of hours in the future Sample failure: `Expected:` `'notAfter'` `at least` `4380` `hours in future (earliest valid is` `2013-02-14` `00:13:11` `UTC)` `Actual:` `4379` `hours in future (2013-02-13` `23:13:11` `UTC)` `Details: Current time:` `2012-08-15` `12:13:11` `UTC`
CertCheck_ValidityNotAfter_maxRemaining	Checks that the notAfter date is not more than a specified number of hours in the future Sample failure: `Expected:` `'notAfter'` `not more than` `4380` `hours in future (last valid is` `2013-02-14` `00:07:14` `UTC)` `Actual:` `4381` `hours in the future (2013-02-14` `01:07:14` `UTC)` `Details: Current time:` `2012-08-15` `12:07:14` `UTC`
CertCheck_ValidityNotBefore_maxDiffFromNow	Checks that the notBefore date is not more than a specified number of minutes from now Sample failure: `xpected: not more than` `4380` `minutes from now` `Actual: -5000` `minutes` `Details:` `Current time:` `2012-08-10` `07:09:03` `UTC` `notBefore:` `2012-08-13` `18:29:03` `UTC`
CertCheck_PublicKey_sizeEquals	Compares the public key specification Sample failure: `Expected: bitLength=1024` `Actual: bitLength=2048` `Details:`
CertCheck_PublicKey_algorithmEquals	Compares the public key algorithm, where public key algorithms is returned by Java Key.getAlgorithm, and is one specified in the Standard Names document for KeyPairGenerator in the Java Cryptography Architecture (JCA) Reference Guide. Sample failure: `Expected: EC` `Actual: RSA` `Details:`
CertCheck_Signature_algorithmEquals	Compares the signature algorithm Sample failure: `Expected:` `1.2.840.113549.1.1.5` `Actual:` `1.2.840.113549.1.1.11` `Details:`
CertCheck_Extensions_criticalOIDs	Checks that the same critical extensions OIDs are present Sample failure: `Expected: [2.5.29.19]` `Actual: [2.5.29.15,` `2.5.29.19]` `Details:`
CertCheck_Extensions_nonCriticalOIDs	Checks that the same non-critical extensions OIDs are present Sample failure: `Expected: [2.5.29.19]` `Actual: [2.5.29.15]` `Details:`
CertCheck_Extensions_identical	Checks that the configured extension values are identical Sample failure: `Expected: Identical values` `for` `[2.5.29.37,` `2.5.29.19]` `Actual: Different values` `for` `[2.5.29.37]` `Details:`
OCSP checks
OcspCheck_ExpectedSigner	Outputs whether a response was received from the expected signer or not.Notice that this check will be performed regardless if it is specified or not as if there are no response from the correct responder none of the other tests can run. However, include this check to get the result in the report. Sample failure: `Expected: Response from signer with subject DN:` `"CN=OCSPSigner1 MyCA1,OU=The Unit,O=The organization,L=Stockholm,C=SE"` `Actual: Got` `3` `responses from other responders: [CN=MyCA1,O=EJBCA Support,C=SE, CN=MyCA1,O=EJBCA Support,C=SE,` `CN=MyCA1,O=EJBCA Support,C=SE]` `Got` `2` `query errors: [Connection refused, Connection refused]` `Details:`
OcspCheck_SignerCertificate	Runs the configured checks for the signer certificate. Sample failure: `xpected: All configured certificate checks to succeed` `Actual: At least one certificate check failed` `Details: See the individual checks` `for` `details.`
OcspCheck_CertificateChain	Validates the signer certificate chain Sample failure: `Expected: Valid certificate chain` `Actual: Verification error` `Details: Signature does not match.` `Certificate to be verified: CN=Sub sub CA` `1` `Issuer certificate: CN=Responder Sub CA` `1` `Complete chain:` `0:` `0x76782bc186c29f0e` `CN=Sub sub CA` `1` `issued by CN=Sub CA` `1` `1:` `0x392407a31a050b2` `CN=Responder Sub CA` `1` `issued by CN=Root CA` `1` `2:` `0x1cbb40cd1664b95e` `CN=Root CA` `1` `issued by CN=Root CA` `1`
OcspCheck_ExpectedStatus	Checks that the returned certificate status is the expected Sample failure: `Expected: revoked` `Actual: unknown` `Details:`
OcspCheck_Nonce	Checks that the nonce in the response matches the request.As a special case, if configured to not send a nonce the check checks that no nonce is present in the response. Sample failure: `Expected: Same nonce in response as in request` `Actual: No nonce in response` `Details:`
OcspCheck_Response_verify	Verifies the signature Sample failure: `Expected: consistent signature` `Actual: inconsistent signature` `Details: the signature did not be verified correctly`
OcspCheck_Response_time	Checks that the response was returned within the configured max time Sample failure: `Expected: responseTime <=` `5000` `Actual: responseTime =` `6137` `Details:`
OcspCheck_Extensions_required	Checks that all required extensions are in the response.Also add this extensions to the list of allowed if that check is also used. Sample failure: `Expected: [1.3.6.1.5.5.7.48.1.6,` `1.3.6.1.5.5.7.48.1.2]` `Actual: [1.3.6.1.5.5.7.48.1.2]` `Details:`
OcspCheck_Extensions_allowed	Checks that only allowed extensions are in the response. Also add the required extensions to this list if that check is also used. Also if a nonce is used the OID for nonce (1.3.6.1.5.5.7.48.1.2) should be included. Sample failure: `Expected: Any of [1.3.6.1.5.5.7.48.1.2]` `Actual: [1.3.6.1.5.5.7.48.1.2,` `1.3.6.1.5.5.7.48.1.6]` `Details:`