Validation Tool Configuration

Configuration of the Validation Tool is covered in the sections Certificate Checks and OCSP Checks, and the table Available Checks lists all available Validation Tool checks.

Certificate Checks

The certificate check tool is run with one certificate checks configuration file. The file points out one template certificate to compare the certificates against as well as lists all checks to perform and their properties.

Sample Certificate check configuration:

template.file=template1.pem
 
checks=\
CertCheck_Certificate_identical,\
CertCheck_Signature_algorithmEquals,\
CertCheck_SubjectDNComponents_required,\
CertCheck_SubjectDNComponents_allowed,\
CertCheck_IssuerDNComponents_specified,\
CertCheck_ValidityNotAfter_minRemaining,\
CertCheck_Extensions_identical
 
checks.CertCheck_Certificate_identical.dynamicfields=\
serialNumber,\
signature,\
issuer,\
validity,\
subject,\
subjectPublicKeyInfo,\
extensions
 
checks.CertCheck_SubjectDNComponents_required.components=CN,O
checks.CertCheck_SubjectDNComponents_allowed.components=CN,O,L,ST,C
 
checks.CertCheck_IssuerDNComponents_specified.dnparts=O\=PrimeKey Solutions AB,C\=SE
checks.CertCheck_ValidityNotAfter_minRemaining.hours=24
checks.CertCheck_Extensions_identical.oids=\
2.5.29.37,\
2.5.29.14

Each check is listed in the "checks" property separated by a comma sign. Properties for the checks (if required) are added in properties of the form checks.CHECKNAME.PROPERTYNAME=VALUE where CHECKNAME is the name of the check as it is written in the checks list and PROPERTYNAME is the name of a property the check is expecting. Checks might require 0 or more properties. The tool will exit with an error message if not all required properties are specified.

OCSP Checks

The OCSP check tool can be feed with one or more CA configuration files. Each CA configuration file represents one CA issuing OCSP responder certificates. It defines a set of queries to send to the OCSP responders as well as lists all checks to perform and their properties.

Sample OCPS checks CA configuration:

ca.issuercertificatefile=myca1.crt
ca.usenonce=true
 
ca.queries=revoked1,unknown1,good1
ca.queries.revoked1.serialnumber=0x70A81ED6E6339EDC
ca.queries.revoked1.expectedstatus=revoked
ca.queries.revoked1.signersubjectdn=CN\=OCSPSigner1 MyCA1,OU=The Unit,O=The organization,L=Stockholm,C=SE
 
ca.queries.unknown1.serialnumber=0x47114711
ca.queries.unknown1.expectedstatus=unknown
ca.queries.unknown1.signersubjectdn=CN\=OCSPSigner1 MyCA1,OU=The Unit,O=The organization,L=Stockholm,C=SE
 
ca.queries.good1.serialnumber=0x168794FBD471C7FC
ca.queries.good1.expectedstatus=good
ca.queries.good1.signersubjectdn=CN\=OCSPSigner1 MyCA1,OU=The Unit,O=The organization,L=Stockholm,C=SE
 
ca.checks=\
OcspCheck_ExpectedSigner,\
OcspCheck_ExpectedStatus,\
OcspCheck_Response_time,\
OcspCheck_Response_verify,\
OcspCheck_Nonce,\
OcspCheck_Extensions_required,\
OcspCheck_Extensions_allowed,\
OcspCheck_CertificateChain,\
OcspCheck_SignerCertificate
 
ca.checks.OcspCheck_Response_time.maxtime=500
ca.checks.OcspCheck_SignerCertificate.includeconfigurationfile=certchecks1.properties
ca.checks.OcspCheck_Extensions_allowed.allowedoids=1.3.6.1.5.5.7.48.1.2
ca.checks.OcspCheck_Extensions_required.requiredoids=

This example defines three queries to send, one with each OCSP response status - good, revoked or unknown for different certificate serial numbers. The idea is to configure the queries to be for certificate which are known to have a particular status in the CA database. The OCSP responder (signer) subject DN for the expected responder answering the request is also configured. Only responses from the expected responder is further examined. This could be particular useful if running queries against a load balancer or a virtual IP (VIP) with multiple responders behind and one wants to be sure that each responder is tested.

The ca.usenonce property determines if a nonce should be included or not when sending the queries. Default is to send a nonce (ca.usenonce=true).

Note in this example that the check called OcspCheck_SignerCertificate is using a certificate checks configuration file (as described in previous section) and will also run all checks configured in that one against the responder certificate.

Available Checks

The following table lists all available Validation Tool checks.

Certificate checks


CertCheck_Certificate_identical

Compares the certificate with the template except for the certificate fields declared in the 'dynamicfields' set.

images/s/-2y7bau/8703/189cb2l/_/images/icons/emoticons/warning.svg Unless the certificates should match exactly, multiple certificate fields would probably have to be added to the list.
Sample failure:

Expected: Identical values for the fields: [version, serialNumber, issuer, validity, issuerUniqueID, subjectUniqueID]
Actual: Different values for the fields: [serialNumber, issuer, validity]
Details:
serialNumber expected: 0x7d982c66a57c3430
serialNumber actual: 0x4d69e649072cc0d8
issuer expected: C=SE, O=EJBCA Sample, CN=ManagementCA
issuer actual: C=SE, O=EJBCA Support, CN=MyCA1
validity expected: [Sat Jun 03 17:33:39 CEST 2006, Fri May 29 17:43:39 CEST 2026]
validity actual: [Wed Jul 04 20:04:07 CEST 2012, Sat Jul 02 20:04:07 CEST 2022]


CertCheck_SubjectDNComponents_required

Checks that sampled certificate contains the required DN fields
Sample failure:

Expected: At least [L, O, CN]
Actual: [O, CN]
Details:

CertCheck_IssuerDNComponents_required

Checks that sampled certificate contains the required DN fields
Sample failure:

Expected: At least [L, O, CN]
Actual: [O, CN]
Details:

CertCheck_SubjectDNComponents_allowed

Checks that sampled certified does not contain any other DN components than the allowed
Sample failure:

Expected: Any number of [O, CN]
Actual: [L, O, CN]
Details:

CertCheck_IssuerDNComponents_allowed

Checks that sampled certified does not contain any other DN components than the allowed
Sample failure:

Expected: Any number of [O, CN]
Actual: [L, O, CN]
Details:

CertCheck_SubjectDNComponents_specified

Checks that the DN parts in the certificate are as the values specified in the configuration if they exists in the certificate.If a component specified in the configuration exists in the certificate it must have the same value(s) as specified.
Sample failure:

Expected: the following to be as specified [C, O]
Actual: was different [C, O]
Details: [C=[SE],[NO], O=[PrimeKey],[CESeCore]]

CertCheck_IssuerDNComponents_specified

Checks that the DN parts in the certificate are as the values specified in the configuration if they exists in the certificate.If a component specified in the configuration exists in the certificate it must have the same value(s) as specified.
Sample failure:

Expected: the following to be as specified [C, O]
Actual: was different [O]
Details: [O=[PrimeKey],[CESeCore]]

CertCheck_SubjectDNComponents_identical

Compares the values of the DN components configured to be identical.The same number of each component and with the same value(s) as in the template must exist in the certificate.
Sample failure:

Expected: the following to be identical [ST, C, L]
Actual: was different [ST]
Details: [ST=[Sweden],[Norway]]

CertCheck_IssuerDNComponents_identical

Compares the values of the DN components configured to be identical. The same number of each component and with the same value(s) as in the template must exist in the certificate.
Sample failure:

Expected: the following to be identical [ST, C, L]
Actual: was different [C]
Details: [C=[SE],[NO]]

CertCheck_SubjectDNOrder_specified

Checks that those DN components that are given in the configuration and are present in the certificate are in the right order. Any additional DN components in the certificate or in the configuration are ignored.
Sample failure:

Expected: the following components to be in the this order [CN, O, C]
Actual: [C, O, CN]
Details: [O was not supposed to be before C]

CertCheck_IssuerDNOrder_specified

Checks that those DN components that are given in the configuration and are present in the certificate are in the right order. Any additional DN components in the certificate or in the configuration are ignored.
Sample failure:

Expected: the following components to be in the this order [CN, O, C]
Actual: [C, CN, O]
Details: [CN was not supposed to be before C]

CertCheck_ValidityNotAfter_minRemaining

Checks that the notAfter date is at least the specified number of hours in the future
Sample failure:

Expected: 'notAfter' at least 4380 hours in future (earliest valid is 2013-02-14 00:13:11 UTC)
Actual: 4379 hours in future (2013-02-13 23:13:11 UTC)
Details: Current time: 2012-08-15 12:13:11 UTC

CertCheck_ValidityNotAfter_maxRemaining

Checks that the notAfter date is not more than a specified number of hours in the future
Sample failure:

Expected: 'notAfter' not more than 4380 hours in future (last valid is 2013-02-14 00:07:14 UTC)
Actual: 4381 hours in the future (2013-02-14 01:07:14 UTC)
Details: Current time: 2012-08-15 12:07:14 UTC

CertCheck_ValidityNotBefore_maxDiffFromNow

Checks that the notBefore date is not more than a specified number of minutes from now
Sample failure:

xpected: not more than 4380 minutes from now
Actual: -5000 minutes
Details:
Current time: 2012-08-10 07:09:03 UTC
notBefore: 2012-08-13 18:29:03 UTC

CertCheck_PublicKey_sizeEquals

Compares the public key specification
Sample failure:

Expected: bitLength=1024
Actual: bitLength=2048
Details:

CertCheck_PublicKey_algorithmEquals

Compares the public key algorithm, where public key algorithms is returned by Java Key.getAlgorithm, and is one specified in the Standard Names document for KeyPairGenerator in the Java Cryptography Architecture (JCA) Reference Guide.
Sample failure:

Expected: EC
Actual: RSA
Details:

CertCheck_Signature_algorithmEquals

Compares the signature algorithm
Sample failure:

Expected: 1.2.840.113549.1.1.5
Actual: 1.2.840.113549.1.1.11
Details:

CertCheck_Extensions_criticalOIDs

Checks that the same critical extensions OIDs are present
Sample failure:

Expected: [2.5.29.19]
Actual: [2.5.29.15, 2.5.29.19]
Details:

CertCheck_Extensions_nonCriticalOIDs

Checks that the same non-critical extensions OIDs are present
Sample failure:

Expected: [2.5.29.19]
Actual: [2.5.29.15]
Details:

CertCheck_Extensions_identical

Checks that the configured extension values are identical
Sample failure:

Expected: Identical values for [2.5.29.37, 2.5.29.19]
Actual: Different values for [2.5.29.37]
Details:

OCSP checks


OcspCheck_ExpectedSigner

Outputs whether a response was received from the expected signer or not.Notice that this check will be performed regardless if it is specified or not as if there are no response from the correct responder none of the other tests can run. However, include this check to get the result in the report.
Sample failure:

Expected: Response from signer with subject DN: "CN=OCSPSigner1 MyCA1,OU=The Unit,O=The organization,L=Stockholm,C=SE"
Actual: Got 3 responses from other responders: [CN=MyCA1,O=EJBCA Support,C=SE, CN=MyCA1,O=EJBCA Support,C=SE,
CN=MyCA1,O=EJBCA Support,C=SE]
Got 2 query errors: [Connection refused, Connection refused]
Details:

OcspCheck_SignerCertificate

Runs the configured checks for the signer certificate.
Sample failure:

xpected: All configured certificate checks to succeed
Actual: At least one certificate check failed
Details: See the individual checks for details.

OcspCheck_CertificateChain

Validates the signer certificate chain
Sample failure:

Expected: Valid certificate chain
Actual: Verification error
Details: Signature does not match.
Certificate to be verified: CN=Sub sub CA 1
Issuer certificate: CN=Responder Sub CA 1
Complete chain:
0: 0x76782bc186c29f0e CN=Sub sub CA 1 issued by CN=Sub CA 1
1: 0x392407a31a050b2 CN=Responder Sub CA 1 issued by CN=Root CA 1
2: 0x1cbb40cd1664b95e CN=Root CA 1 issued by CN=Root CA 1

OcspCheck_ExpectedStatus

Checks that the returned certificate status is the expected
Sample failure:

Expected: revoked
Actual: unknown
Details:

OcspCheck_Nonce

Checks that the nonce in the response matches the request.As a special case, if configured to not send a nonce the check checks that no nonce is present in the response.
Sample failure:

Expected: Same nonce in response as in request
Actual: No nonce in response
Details:

OcspCheck_Response_verify

Verifies the signature
Sample failure:

Expected: consistent signature
Actual: inconsistent signature
Details: the signature did not be verified correctly

OcspCheck_Response_time

Checks that the response was returned within the configured max time
Sample failure:

Expected: responseTime <= 5000
Actual: responseTime = 6137
Details:

OcspCheck_Extensions_required

Checks that all required extensions are in the response.Also add this extensions to the list of allowed if that check is also used.
Sample failure:

Expected: [1.3.6.1.5.5.7.48.1.6, 1.3.6.1.5.5.7.48.1.2]
Actual: [1.3.6.1.5.5.7.48.1.2]
Details:

OcspCheck_Extensions_allowed

Checks that only allowed extensions are in the response. Also add the required extensions to this list if that check is also used. Also if a nonce is used the OID for nonce (1.3.6.1.5.5.7.48.1.2) should be included.
Sample failure:

Expected: Any of [1.3.6.1.5.5.7.48.1.2]
Actual: [1.3.6.1.5.5.7.48.1.2, 1.3.6.1.5.5.7.48.1.6]
Details: