A Java CLI tool can be used to check the validity of a certificate from scripts. The tool supports a clustered SignServer installation using the "Use first host that response OK" policy.

When compiling, make sure that the setting validationclient.enabled is set to true in the build properties. The client is lib/SignServer-Client-ValidationCLI.jar.

Use the client with:

bin/signclient validatecertificate <options>

The following options are available:

Option

Description

-cert <cert-file>

Path to certificate file (DER or PEM). (Required)

-certpurposes <certpurposes>

A comma-separated string containing requested certificate purposes.

-der

Certificate is in DER format.

-help

Displays this information.

-hosts <hosts>

A comma-separated string containing the hostnames of the validation service nodes. For example,  'host1.someorg.org,host2.someorg.org'. (Required)

-pem

Certificate is in PEM format. (Default)

-port <port>

Remote port of service. (Default is 8080 or 8442 for SSL)

-service <service-name>

The name or ID of the validation service to process request. (Required)

-silent

Does not produce any output. Only returns a value.

-truststore <jks-file>

Path to JKS truststore containing trusted CA for SSL Server certificates.(for HTTPS connections)

-truststorepwd <password>

Path to JKS truststore containing trusted CA for SSL Server certificates.(for HTTPS connections)

The following return values are used:

-2 : Error happened during execution
-1 : Bad arguments
0 : Certificate is valid
1 : Certificate is revoked
2 : Certificate is not yet valid
3 : Certificate has expired
4 : Certificate does not verify
5 : CA Certificate has been revoked
6 : CA Certificate is not yet valid
7 : CA Certificate has expired
8 : Certificate has no valid certificate purpose