Analyze certificates for errors

An X.509 certificate-scanning command-line tool is available to report issues related to public-key certificates. The tool is certScan and is found in <Activator_install_directory>\Activator\tools.

This tool is for scanning files of public-key certificates. Those are files with extensions of .cer, .crt, .der, .p7b and .p7c. It cannot scan certificates with private keys, meaning files with extensions of .p12 and .pfx.

One use for this tool is to scan certificates from partners before importing the certificate files to Activator. This may be advisable if you have a partner who has provided unreliable certificates that adversely affected message trading.

The tool can scan a single certificate file or a directory of certificate files.

Run the tool from the tools directory. The format is:

certScan <file or directory>

where file is the path to a single certificate file and directory is the path to a directory containing multiple certificate files.

Each certificate file is presumed to contain one or more certificates. When a file contains more than one certificate, it is assumed the multiple certificates form a chain from end-entity certificate to CA root certificate.

When a directory is specified, the tool finds all certificate files in that directory and all subdirectories, recursively.

The tool displays the following data:

  • Info – An interesting characteristic of the certificate that does not violate any standards and does not affect the certificate's performance in Activator.
  • Warning – An anomaly in the certificate that violates RFC 3280, but does not affect the certificate's performance in Activator.
  • Error – A serious problem with the certificate that may violate RFC 3280, but would cause the certificate not to function properly in the trading engine.

RFC 3280 is the standard for X.509 certificates of the Internet Engineering Task Force. A copy of RFC 3280 is at: http://www.ietf.org/rfc/rfc3280.txt.

Related Links