EJBCA Validation/Conformance Tool
ENTERPRISE EDITION This is an EJBCA Enterprise Edition (EE) feature.
Introduction
The Validation Tool is a standalone client-side application for certificates and OCSP responses validation and conformance checks.
The tool is used for running tests on issued certificates or OCSP responses to validate that they match the configured criteria. A typical use case is to, after setting up a functioning system, configure a set of checks to be run either periodically or after upgrades and configuration changes, to ensure the system is still functioning as expected. To perform validation during issuance, use the built in EJBCA Validators.
The Validation Tool is independent of the EJBCA version and the same tool can thus be used after an EJBCA upgrade.
The following sections cover building and running the tool, output Results, and information on the Validation Tool Command Line Interface.
For information on configuration, see Validation Tool Configuration and for a summary of the features, see Validation Tool Features.
Build
To build the tool and create a dist/validationtool directory, run the following:
ant validationtoolYou may move the directory dist/validationtool to any location.
To provide online documentation for available ValidationTool commands and options, run the following::
bin/validationtool.shTo create a source distribution and create a dist/validationtool-src directory, run the following:
ant validationtool-srcYou may zip the directory and extract it in any location.
To build the Validation Tool, run the following in the modules/validationtool directory:
ant jarConfigure
For configuration examples, refer to the conf/sample1 folder containing sample OCSP and certificate checks configuration files. For more information, see Validation Tool Configuration.
The configuration files are formatted in Java Properties files format and the application expects ISO-8859-1 (latin1) encoding. Other characters can be escaped manually or by using a tool such as native2ascii.
Run
To run OCSP checks, run the following:
bin/validationtool.sh ocsp -url http://localhost:8080/ejbca/publicweb/status/ocsp -caconf conf/sample1/ocspchecks_adminca.propertiesThis will query the OCSP responder for three different results (good, revoked and unknown) as configured in ocspchecks_adminca.properties. For the tests to succeed, replace the managementca.crt with the issuer of your OCSP responder certificates, and change the DN:s and serial numbers in the configuration file to match your installation.
To run certificate checks, run the following:
bin/validationtool.sh certificate -conf conf/sample1/certchecks1.properties -certfolder ./certfolderThe tool waits for certificate files to be placed in the folder called certfolder. When a certificate file is detected, it is parsed and the configured certificate checks are executed. You need to configure certchecks1.properties with the tests that should be performed and their properties.
Results
Results are written after all configured checks are run for a query or certificate file. By default, the log is written to both standard output and a log file called validationtool.log. Log4j can be configured in conf/log4j.xml.
If the validation was successful and all checks for the current query or certificate file were successful, the results are logged with the INFO priority. Otherwise the ERROR priority is used.
For every check performed, an entry is written in the report beginning with the result of the check, either _SUCCESS{_}, _UNKNOWN_ or _FAILURE{_}. Success means that the check was successfully executed, and the expected result obtained. Unknown means that the test could not be executed for instance because a certificate was not included in the OCSP response etc. Failure means that the test was executed but the expected result was not obtained.
For successful checks, the name of the test and a short description is noted. For other results a more detailed description about what failed with the analyzed certificate or OCSP response is noted.
Example certificate validation output
2012-07-31 15:21:22,208 ERROR : Validation results for: Configuration: certchecks1.properties Certificate file: timestamp2.pem Certificate serial: 0x5c04ced718526417 Certificate issuer: CN=ManagementCA,O=PrimeKey Solutions AB,C=SE Certificate subject: CN=Signer 1,C=SE Certificate fingerprint (SHA1): 05a219d835622653192c30eeeee8f01f918b30fb[SUCCESS] CertCheck_Signature_algorithmEquals Compares the signature algorithm Expected: 1.2.840.113549.1.1.5 Actual: 1.2.840.113549.1.1.5 Details: [SUCCESS] CertCheck_SubjectDNComponents_required Checks that sampled certificate contains the required DN fields Expected: At least [O, CN] Actual: [O, OU, CN] Details: [FAILURE] CertCheck_SubjectDNComponents_identical Compares the values of the DN components configured to be identical Expected: the following to be identical [C, O] Actual: was different [O] Details: [[O=[PrimeKey Solutions AB], [Organization 1]]]...Example OCSP validation output
2012-08-06 12:16:59,887 ERROR : Validation results for: Server URL: http://localhost:8080/ejbca/publicweb/status/ocsp Configuration: ocspchecks_myca1.properties CA: CN=MyCA1,O=EJBCA Support,C=SE Query serial number: 0x168794fbd471c7fc Expected signer: CN=Signer 2,O=EJBCA Support,C=SE Expected status: good Request file: ./failfolder/request936843811890885123.orq Response file: ./failfolder/response6475558795694330535.ors[SUCCESS] OcspCheck_ExpectedSigner Outputs whether a response was received from the expected signer or not Expected: Response from signer with subject DN: "CN=OCSP Signer 1,O=Organization A,C=SE" Actual: Response from signer with subject DN: "CN=OCSP Signer 1,O=Organization A,C=SE" Details: [FAILURE] OcspCheck_ExpectedStatus Checks that the returned certificate status is the expected Expected: good Actual: unknown Details: [SUCCESS] OcspCheck_Response_time Checks that the response was returned within the configured max time Expected: responseTime <= 500 Actual: responseTime = 61 Details: ...Validation Tool Command Line Interface (CLI)
The Validation Tool Command Line Interface (CLI) has a ocsp and a certificate command with the following respective syntax.
ocsp
in/validationtool.sh ocspusage: ocsp [-url URL]... [-maxtries NUMBER] [-caconf CONFIGFILE]... [-failfolder FOLDER]Run the OCSP healthcheck tool with the specifed CA configuration file(s) -caconf CA configuration file. This option can be specified for every issuer to query. -failfolder Folder to move requests and responses for which there were failures. If not specified, failures are not stored. -listchecks Lists all the available checks and exists. No other options are required when using this. -maxtries Maximum number of tries to perform before giving up getting a response from a particular responder. -url URL of server to query. This option can be specified for every server to query.Sample usages:a) ocsp -listchecksb) ocsp -url http://localhost:8080/ejbca/publicweb/status/ocsp -caconfmanagementca.propertiesc) ocsp -url http://server1/status/ocsp -url http://server2/status/ocsp-maxtries 5 -caconf ocspchecks_managementca.properties -caconfocspchecks_authca1.propertiesd) ocsp -url http://localhost:8080/ejbca/publicweb/status/ocsp -caconfocspchecks_managementca.properties -failfolder ./failfolderMultiple OCSP responder URL:s and CA configuration files can be specified as arguments to the command. Each URL will be queried with all queries as configured in each CA configuration file. This means that each URL should answer responses with the signer subject DN:s as specified in the configuration. This might only be useful in some situation like when one wants to test different URL:s to the same responders. To query different responders on different URLs the command can instead be invoked multiple times with the different URLs and matching configuration files.
If a folder for failures is specified the requests and responses which had failures will be outputted there.
The maxtries option decides the maximum number of times each query is sent before giving up trying to get a response from the specified responder. Default value is 5.
certificate
bin/validationtool.sh certificateusage: certificate -conf CONFFILE -certfolder FOLDERPATH [-minfileage 2000] [-waittime 1000] [-failfolder FOLDER]The certificate validation application monitoring and checking allcertificates in the specified folder. -certfolder Folder to watch for certificates. -conf File name of the configuration file to use. -failfolder Folder to move certificates to for which there were failures. If not specified the files are deleted. -listchecks Lists all the available checks and exists. No other options are required when using this. -minfileage Minimum number of milliseconds since the last modified time before a file is up for inspection. Specify this to make it less likely a file is being checked before it has been completely written to disk. -waittime Time in milliseconds to wait before checking again if there were no files in the directory.Sample usages:a) certificate -listchecksb) certificate -conf certchecks.properties -certfolder ./certfolderc) certificate -conf certchecks.properties -certfolder ./certfolder-minfileage 2000 -waittime 1000d) certificate -conf certchecks.properties -certfolder ./certfolder-failfolder ./failfolderIf a folder for failures is specified the certificates which had failures will be moved there.
Note that it is important to not run multiple instances of the tool at the same time on the same folder as the tool will remove the tested certificates.