New open-source certificate linter implements compliance checking for
S/MIME Baseline Requirements
DigiCert is pleased to announce the release of a new certificate linter, known as pkilint, which builds on industry experience in automating compliance checks for digital certificates. This first release of pkilint implements compliance testing for the recently released CA/Browser (CA/B) Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates (also known as the S/MIME Baseline Requirements).
Pkilint is a certificate linter — a type of software used to analyze digital certificates for errors or compliance issues. Using automation, it can rapidly analyze and flag problems during the certificate issuance process, or be used to audit the conformity of large directories of previously issued certificates.
The pkilint S/MIME linter is being provided to the community by DigiCert as open-source software (OSS) under the MIT License, which provides wide freedom to use, distribute and modify the software.
Read more at the pkilint repository on GitHub.
The new pkilint framework can be adapted to any certificate type. It initially includes more than 145 separate tests against different specifications of the S/MIME Baseline Requirements (BRs) and other important standards that apply to digital certificate formats.
Pkilint was developed based on DigiCert’s experience using certificate linters in high volume environments. The pkilint framework provides several advantages over existing approaches:
In addition to pkilint, DigiCert recently provided an OSS tool called SMBR-Cert-Factory that allows users to generate test certificates that are compliant with the different certificate profiles defined in S/MIME BRs.
The S/MIME BRs created industry-wide standards — for the first time — for Certificate Authorities (CAs) that issue digital certificates used to sign emails to make them tamperproof and show their origin or to encrypt them for privacy. The S/MIME BRs take effect in September 2023 covering:
A previous CA/B Forum standard known as the TLS Baseline Requirements created unified standards for SSL/webserver certificates, but the real benefit was seen when the first certificate linters known as certLint, ZLint and X509lint, were released to allow automated widescale testing of certificates against the standard. DigiCert believes that pkilint will provide similar benefits in allowing CAs and third-parties to automate the testing of digital certificates for compliance with the S/MIME BRs.
The pkilint framework is easily expandable to analyze other digital certificate types and aspects of PKI, such as CRL and OCSP implementations. Additionally, DigiCert is planning to use the framework to add lints to encompass the changes introduced by the CA/B Forum Ballot SC-62 for TLS certificate profiles. Developers who are interested in contributing to pkilint can do so on the project’s GitHub page.
As part of its commitment to building digital trust, DigiCert’s Industry Standards team is involved in a wide array of organizations writing requirements and specifications for the use of Public Key Infrastructure (PKI). These include the CA/B Forum addressing standards for the webPKI, S/MIME and code signing; Verified Mark Certificates for email trust; the Internet Engineering Task Force for a wide variety of technical topics including post quantum crypto; the Connectivity Standards Alliance’s Matter for IoT security; and the European Telecommunications Standards Institute (ETSI) providing a wide array of standards for electronic signatures and eIDAS Qualified trust service provider operations.