Skip to content
X.509 certificate linter
Branch: master
Clone or download
Latest commit 9240b6a Feb 22, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin Fix matching of non-UTF-8 strings Oct 10, 2016
data Update data files Feb 21, 2019
ext Regen source Aug 29, 2017
lib Add comments on the name compare routine May 21, 2018
spec Gemize Jun 20, 2017
.gitignore Gemize Jun 20, 2017
.rubocop.yml Import certlint Jan 16, 2016
LICENSE Initial commit Jan 14, 2016
certlint.gemspec Add versions Jun 20, 2017
make-names.rb request all data urls via HTTPS. Apr 20, 2017


X.509 certificate linter

certlint is currently at version 0.9.0. It does not yet build as a gem.

For now, execute by running:

ruby -I lib:ext bin/certlint or ruby -I lib:ext bin/cablint

Required gems

  • public_suffix
  • simpleidn

If using less than Ruby 2.3, you also need the unf gem.

Building the asn1validator extension

certlint requires that the asn1validator extension be available.

See ext/README for instructions on building it.


Messages will be output one per line. Each line will start with a single capital letter, a colon, and a space. The letters indicate the type of message:

  • B: Bug. Your certificate has a feature not handled by certlint.
  • I: Information. These are purely informational; no action is needed.
  • N: Notice. These are items known to cause issues with one or more implementations of certificate processing but are not errors according to the standard.
  • W: Warning. These are issues where a standard recommends differently but the standard uses terms such as "SHOULD" or "MAY".
  • E: Error. These are issues where the certificate is not compliant with the standard.
  • F: Fatal Error. These errors are fatal to the checks and prevent most further checks from being executed. These are extremely bad errors.


Certlint was written by Peter Bowen (

Contributors include Matt Palmer, Rob Stradling, David Keeler, and Karsten Weiss.

You can’t perform that action at this time.