New open-source certificate linter implements compliance checking for
S/MIME Baseline Requirements

DigiCert is pleased to announce the release of a new certificate linter, known as pkilint, which builds on industry experience in automating compliance checks for digital certificates. This first release of pkilint implements compliance testing for the recently released CA/Browser (CA/B) Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates (also known as the S/MIME Baseline Requirements).

What is a certificate linter?

Pkilint is a certificate linter — a type of software used to analyze digital certificates for errors or compliance issues. Using automation, it can rapidly analyze and flag problems during the certificate issuance process, or be used to audit the conformity of large directories of previously issued certificates.

The pkilint S/MIME linter is being provided to the community by DigiCert as open-source software (OSS) under the MIT License, which provides wide freedom to use, distribute and modify the software.

What sets pkilint apart?

The new pkilint framework can be adapted to any certificate type. It initially includes more than 145 separate tests against different specifications of the S/MIME Baseline Requirements (BRs) and other important standards that apply to digital certificate formats.

Pkilint was developed based on DigiCert’s experience using certificate linters in high volume environments. The pkilint framework provides several advantages over existing approaches:

• Built on top of a proven ASN.1 parser allowing very detailed checks that detect ASN.1 encoding errors.
• Architected from the ground up to support linting of many different types of PKI structures (including certificates, CRLs, OCSP responses, etc.) against different standards and trust frameworks.
• Rich validation logic analyzes every field of an ASN.1 document and determines which sets of tests to execute. This results in faster and more thorough testing, with less development time.

In addition to pkilint, DigiCert recently provided an OSS tool called SMBR-Cert-Factory that allows users to generate test certificates that are compliant with the different certificate profiles defined in S/MIME BRs.

What are the S/MIME Baseline Requirements? 

The S/MIME BRs created industry-wide standards — for the first time — for Certificate Authorities (CAs) that issue digital certificates used to sign emails to make them tamperproof and show their origin or to encrypt them for privacy. The S/MIME BRs take effect in September 2023 covering:

• Validation of subject identity and control over email addresses
• Certificate profiles for both issuing CA and end entity certificates
• CA operational practices, including key management and certificate lifecycle

A previous CA/B Forum standard known as the TLS Baseline Requirements created unified standards for SSL/webserver certificates, but the real benefit was seen when the first certificate linters known as certLint, ZLint and X509lint, were released to allow automated widescale testing of certificates against the standard. DigiCert believes that pkilint will provide similar benefits in allowing CAs and third-parties to automate the testing of digital certificates for compliance with the S/MIME BRs.

What’s next for pkilint development?

The pkilint framework is easily expandable to analyze other digital certificate types and aspects of PKI, such as CRL and OCSP implementations. Additionally, DigiCert is planning to use the framework to add lints to encompass the changes introduced by the CA/B Forum Ballot SC-62 for TLS certificate profiles. Developers who are interested in contributing to pkilint can do so on the project’s GitHub page. Read more at the pkilint repository on GitHub.

DigiCert leadership in industry standards for digital trust

As part of its commitment to building digital trust, DigiCert’s Industry Standards team is involved in a wide array of organizations writing requirements and specifications for the use of Public Key Infrastructure (PKI). These include the CA/B Forum addressing standards for the webPKI, S/MIME and code signing; Verified Mark Certificates for email trust; the Internet Engineering Task Force for a wide variety of technical topics including post quantum crypto; the Connectivity Standards Alliance’s Matter for IoT security; and the European Telecommunications Standards Institute (ETSI) providing a wide array of standards for electronic signatures and eIDAS Qualified trust service provider operations. Scan your S/MIME certificate against the CA/B Forum’s new S/MIME Baseline Requirements with pkilint.