Need scripts or common tools for identifying all Intermediate certificate authorities and certificates

[lachellel]

I'm trying to collect scripts, government or open source tools for identifying all the intermediate certificate authorities and valid intermediate certificates which chain to Federal Common Policy Certificate Authority (Common).

This is needed for legacy network authentication implementations, and for applications that do not fully implement path discovery or validation protocols (RFC 5280). We have tools for visually viewing the certificate authorities; however, automated discovery and retrieval of all certificates can be a manually intensive process.

• http://fpki-graph.fpki-lab.gov/

Scripts could include:

• Powershell with certutil
• Ksh with openssl
• Java
• Other

[grandamp]

Here is a java implementation (as you are aware): https://github.com/grandamp/KSValidationService

The intent was a way to perform SIA discovery in order to discover all fpki intermediates, since the SIA extension is mandatory under the certificate and CRL profile for the Common Policy Root CA.

It is far from an ideal solution, but it exists!

[weirdscience]

Should this go under the FPKI Guide? There seems to be some bleed over between the two and it should be very clear. Should the FPKI Guide be added to the PIV guide or vice versa to make it simpler?

[idmken]

FPKI Graph does this - https://fpki.idmanagement.gov/tools/fpkigraph/

Maybe open a new issue if there is interest in scripts run locally.

Also references on this page = https://piv.idmanagement.gov/pivcertchains/