Skip to content
Mathew Hodson edited this page Mar 25, 2021 · 3 revisions

The following is a list of lints run on each certificate at this time.

Lint Name Description Providence
basic_constraints_not_critical Conforming CAs must mark Basic Constraints as critical when it is included in CA certs RFC 5280: 4.2.1.9
br_san_bare_wildcard Wildcard MUST be accompanied by other data to it's right (Only checks DNSName) -
br_san_wildcard_not_first Wildcard MUST be in the first label of FQDN, ie not: www.\*.com (Only checks DNSName) -
ca_country_name_invalid Root & Subordinate CA certificates must have a two-letter country code that is in ISO 3166-1 CAB: 7.1.2.1
ca_country_name_missing Root & Subordinate CA certificates must have a countryName present in subject information CAB: 7.1.2.1
ca_crl_sign_not_set Root & Subordinate CA certificate keyUsage extension's crlSign bit must be set CAB: 7.1.2.1
ca_dig_sign_not_set Root & Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to with out digital signature set CAB: 7.1.2.1, 7.1.6.2
ca_key_cert_sign_not_set Root & Subordinate CA certificate keyUsage extension's keyCertSign bit must be set CAB: 7.1.2.1
ca_key_usage_missing Root & Subordinate CA certificate keyUsage extension must be present CAB: 7.1.2.1, RFC 5280: 4.2.1.3
ca_key_usage_not_critical Root & Subordinate CA certificate keyUsage extension must be marked as critical CAB: 7.1.2.1
ca_organization_name_missing Root & Subordinate CA certificates must have a organizationName present in subject information CAB: 7.1.2.1
ca_subject_field_empty CA Certificates subject field must not be empty and must have a non-empty distingushed name RFC 5280: 4.1.2.6
cert_contains_unique_identifier CAs must not generate certificates with unique identifiers. RFC 5280: 4.1.2.8
cert_extensions_verson_not_3 The extensions field must only appear in version 3 certificates. RFC 5280: 4.1.2.9
cert_policy_conflicts_with_locality If certificate policy 2.23.140.1.2.1 is included, locality name must not be included in subject. CAB: 7.1.6.1
cert_policy_conflicts_with_org If certificate policy 2.23.140.1.2.1 is included, organization name must not be included in subject. CAB: 7.1.6.1
cert_policy_conflicts_with_postal If certificate policy 2.23.140.1.2.1 is included, postal code must not be included in subject. CAB: 7.1.6.1
cert_policy_conflicts_with_province If certificate policy 2.23.140.1.2.1 is included, stateOrProvince name must not be included in subject. CAB: 7.1.6.1
cert_policy_conflicts_with_street If certificate policy 2.23.140.1.2.1 is included, street address must not be included in subject. CAB: 7.1.6.1
cert_policy_iv_requires_country If certificate policy 2.23.140.1.2.3 is included, country name must be included in subject. CAB: 7.1.6.1
cert_policy_iv_requires_province_or_locality If certificate policy 2.23.140.1.2.3 is included, locality or stateOrProvince must be included in subject. CAB: 7.1.6.1
cert_policy_ov_requires_country If certificate policy 2.23.140.1.2.2 is included, country name must be included in subject. CAB: 7.1.6.1
cert_policy_ov_requires_province_or_locality If certificate policy 2.23.140.1.2.2 is included, locality or stateOrProvince must be included in subject. CAB: 7.1.6.1
cert_policy_requires_org If certificate policy 2.23.140.1.2.2 is included, organization name must be included in subject. CAB: 7.1.6.1
cert_policy_requires_personal_name If certificate policy 2.23.140.1.2.3 is included, organization or givenName AND surname must be included in subject. CAB: 7.1.6.1
cert_unique_identifier_version_not_2_or_3 Unique identifiers must only appear if the version is 2 or 3. RFC 5280: 4.1.2.8
dh_params_missing DH keys must have parameters -
distribution_point_incomplete A DistributionPoint from the CRLDistributionPoints extension MUST NOT consist of only the reasons field; either distributionPoint or CRLIssuer must be present RFC 5280: 4.2.1.13
distribution_point_missing_ldap_or_uri When present in the CRLDistributionPoints extension, DistributionPointName SHOULD include at least one LDAP or HTTP URI RFC 5280: 4.2.1.13
dns_name_empty DNSNames MUST NOT be empty if included -
dns_name_includes_null_char DNSNames MUST NOT include a null character -
dns_name_starts_with_period DNSName MUST NOT start with a period -
dsa_improper_modulus_or_divisor_size minimum DSA modulus and divisor size is either L= 2048, N= 224 or L= 2048, N= 256 CAB: 6.1.5
dsa_shorter_than_2048_bits DSA modulus size must be at least 2048 bits CAB: 6.1.5
ec_improper_curves only one of NIST P‐256, P‐384, or P‐521 can be used for all types of certificate CAB: 6.1.5
eku_critical_improperly Conforming CAs SHOULD NOT mark extended key usage extension as critical if the anyExtendedKeyUsage KeyPurposedID is present RFC 5280: 4.2.1.12
ev_business_category_missing EV certificates must include businessCategory in subject -
ev_country_name_missing EV certificates must include countryName in subject -
ev_locality_name_missing EV certificates must include localityName in subject -
ev_organization_name_missing EV certificates must include organizationName in subject -
ev_serial_number_missing EV certificates must include serialNumber in subject -
ev_valid_time_too_long EV certificates must be 27 months in validity or less -
ext_aia_access_location_missing When the id-ad-caIssuers accessMethod is used, at least one instance SHOULD specify an accessLocation that is an HTTP or LDAP URI RFC 5280: 4.2.2.1
ext_aia_marked_critical Conforming CAs must mark the Authority Information Access extension as non-critical RFC 5280: 4.2.2.1
ext_authority_key_identifier_critical The authority key identifier extension must be non-critical. RFC 5280: 4.2.1.1
ext_authority_key_identifier_missing CAs must support key identifiers and include them in all certs RFC 5280: 4.2 & 4.2.1.1
ext_authority_key_identifier_no_key_identifier CAs must include keyIdentifier field of aki in all non-self-issued certs RFC 5280: 4.2.1.1
ext_cert_policy_contains_noticeref should not use the noticeRef option RFC 5280: 4.2.1.4
ext_cert_policy_disallowed_any_policy_qualifier when qualifiers are used with the special policy anyPolicy, the must be limited to qualifiers identified in this section (4.2.1.4) RFC 5280: 4.2.1.4
ext_cert_policy_duplicate a cert policy OID must not appear more than once in the extension RFC 5280: 4.2.1.4
ext_cert_policy_explicit_text_ia5_string must not encode explicitTest as IA5String RFC 6818: 3
ext_cert_policy_explicit_text_includes_control should not include any control charaters (such as U+009F) RFC 6818: 3
ext_cert_policy_explicit_text_not_nfc should be normalized according to unicode normalization form C if utf8 or bmpstring RFC 6818: 3
ext_cert_policy_explicit_text_not_utf8 should use the utf8string encoding for explicitText RFC 6818: 3
ext_cert_policy_explicit_text_too_long explicit text has a maximum size of 200 characters RFC 6818: 3
ext_crl_distribution_marked_critical If included, the CRL Distribution Points extension SHOULD NOT be marked critical RFC 5280: 4.2.1.13
ext_duplicate_extension A cert must not contain duplicate extensions. RFC 5280: 4.2
ext_freshest_crl_marked_critical Conforming CAs must mark this extension as non-critical RFC 5280: 4.2.1.15
ext_ian_critical issuer alternate name should be marked as non-critical RFC 5280: 4.2.1.7
ext_ian_dns_not_ia5_string dNSNames are IA5 strings RFC 5280: 4.2.1.7
ext_ian_empty_name general name fields must not be empty in issuer alternate name RFC 5280: 4.2.1.7
ext_ian_no_entries if present, the issuer alternative name extension must contain at least one entry RFC 5280: 4.2.1.7
ext_ian_rfc822_format_invalid email must be stored as a mailbox@domain.tld rfc822 name without "<>()" and "." before the "@" RFC 5280: 4.2.1.7
ext_ian_space_dns_name the dNSName " " must not be used RFC 5280: 4.2.1.7
ext_ian_uri_format_invalid The name MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. RFC 5280: 4.2.1.7
ext_ian_uri_host_not_fqdn_or_ip URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host. RFC 5280: 4.2.1.7
ext_ian_uri_not_ia5 URIs must be encoded as IA5 string in uniformResourceIdentifier RFC 5280: 4.2.1.7
ext_ian_uri_relative the name must not be a relative uri RFC 5280: 4.2.1.7
ext_key_usage_cert_sign_without_ca if the keyCertSign bit is asserted, then the cA bit MUST also be asserted RFC 5280: 4.2.1.3 & 4.2.1.9
ext_key_usage_not_critical SHOULD mark this extension as critical RFC 5280: 4.2.1.3
ext_key_usage_without_bits when included, at least one bit must be set to 1 RFC 5280: 4.2.1.3
ext_name_constraints_not_critical If it is included, conforming CAs must mark the name constraints extension as critical. RFC 5280: 4.2.1.10
ext_name_constraints_not_in_ca The name constraints extension must only be used in CA certificates RFC 5280: 4.2.1.10
ext_policy_constraints_empty Conforming CAs MUST NOT issue certificates where policy constraints is an empty sequence. That is, either the inhibitPolicyMapping field or the requireExplicityPolicy field MUST be present RFC 5280: 4.2.1.11
ext_policy_constraints_not_critical Conforming CAs must mark the policy constraints extension as critical. RFC 5280: 4.2.1.11
ext_policy_map_any_policy policies must not be mapped to or from the anyPolicy value RFC 5280: 4.2.1.5
ext_policy_map_not_critical Policy mappings should be marked as critical RFC 5280: 4.2.1.5
ext_policy_map_not_in_cert_policy each issuerDomainPolicy named in policy mappings extension should also be asserted in a certificate policies extension RFC 5280: 4.2.1.5
ext_san_contains_reserved_ip Certs issued after 2012-07-01 and expireing after 2015-11-01 must not contain a reserved ip address in the SAN extension. CAB: 7.1.4.2.1
ext_san_critical_with_subject_dn if the subject contains a distinguished name SAN should be non-critical RFC 5280: 4.2.1.6
ext_san_directory_name_present The Subject Alternate Name extension must contain only dnsName and ipaddress name types. CAB: 7.1.4.2.1
ext_san_dnsname_not_fqdn SAN dnsnames must be a fully qualified domain name. CAB: 7.1.4.2.1
ext_san_dns_not_ia5_string dNSNames are IA5 strings RFC 5280: 4.2.1.6
ext_san_dns_syntax_incorrect dns name must be in preferred name syntax RFC 5280: 4.2.1.6
ext_san_edi_party_name_present The Subject Alternate Name extension must contain only dnsName and ipaddress name types. CAB: 7.1.4.2.1
ext_san_empty_name general name fields must not be empty in san RFC 5280: 4.2.1.6
ext_san_missing Certificates must contain the Subject Alternate Name extension. CAB: 7.1.4.2.1
ext_san_no_entries if present, the san extension must contain at least one entry RFC 5280: 4.2.1.6
ext_san_not_critical_without_subject if there is an empty subject feild, then the san extension must be critical RFC 5280: 4.2.1.6 & 4.1.2.6
ext_san_other_name_present The Subject Alternate Name extension must contain only dnsName and ipaddress name types. CAB: 7.1.4.2.1
ext_san_registered_id_present The Subject Alternate Name extension must contain only dnsName and ipaddress name types. CAB: 7.1.4.2.1
ext_san_rfc822_format_invalid email must be stored as a mailbox@domain.tld rfc822 name without "<>()" and "." before the "@" RFC 5280: 4.2.1.6
ext_san_rfc822_name_present The Subject Alternate Name extension must contain only dnsName and ipaddress name types. CAB: 7.1.4.2.1
ext_san_space_dns_name the dNSName " " must not be used RFC 5280: 4.2.1.6
ext_san_uniform_resource_identifier_present The Subject Alternate Name extension must contain only dnsName and ipaddress name types. CAB: 7.1.4.2.1
ext_san_uri_format_invalid The name MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. RFC 5280: 4.2.1.6
ext_san_uri_host_not_fqdn_or_ip URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host. RFC 5280: 4.2.1.6
ext_san_uri_not_ia5 URIs must be encoded as IA5 string in uniformResourceIdentifier RFC 5280: 4.2.1.6
ext_san_uri_relative the name must not be a relative uri RFC 5280: 4.2.1.6
ext_subject_directory_attr_critical Conforming CAs must mark the Subject Directory Attributes extension as not critical RFC 5280: 4.2.1.8
ext_subject_key_identifier_critical The subject key identifier extension must be non-critical. RFC 5280: 4.2.1.2
ext_subject_key_identifier_missing_ca CAs must include ski in all CA certificates. RFC 5280: 4.2 & 4.2.1.2
ext_subject_key_identifier_missing_sub_cert CAs should include ski in end entity certs RFC 5280: 4.2 & 4.2.1.2
generalized_time_does_not_include_seconds Generalized time values must include seconds RFC 5280: 4.1.2.5.2
generalized_time_includes_fraction_seconds Generalized time values must not include fraction seconds RFC 5280: 4.1.2.5.2
generalized_time_not_in_zulu Generalized time values must be expressed in Greenwich Mean Time (Zulu) RFC 5280: 4.1.2.5.2
gtld_under_consideration CAs SHOULD NOT issue Certificates containing a new gTLD under consideration by ICANN. CAB: 4.2.2
iana_pub_suffix_empty Domain SHOULD NOT have bare public suffix -
inhibit_any_policy_not_critical Conforming CAs must mark this extension as critical RFC 5280: 4.2.1.14
invalid_certificate_version Certificate must be version 3 CAB: 7.1.1
issuer_field_empty Certificates issuer field must not be empty and must have a non-empty distingushed name RFC 5280: 4.1.2.4
name_constraint_empty Conforming CAs must not issue certificates where name constraints is an empty sequence. That is, either the permittedSubtree or excludedSubtree fields must be present RFC 5280: 4.2.1.10
name_constraint_maximum_not_absent In the name constraints name forms the maximum is not used and therefore MUST be absent RFC 5280: 4.2.1.10
name_constraint_minimum_non_zero In the name constraints name forms the minimum is not used and therefore MUST be zero RFC 5280: 4.2.1.10
name_constraint_on_edi_party_name The name constraints extension SHOULD NOT impose constraints on the ediPartyName name form RFC 5280: 4.2.1.10
name_constraint_on_registered_id The name constraints extension SHOULD NOT impose constraints on the registeredID name form RFC 5280: 4.2.1.10
name_constraint_on_x400 The name constraints extension SHOULD NOT impose constraints on the x400Address name form RFC 5280: 4.2.1.10
old_root_ca_rsa_mod_less_than_2048_bits In a validity period beginning on or before 31 dec 2010, root CA certificates using RSA public key algorithm must have 2048 bits of modulus CAB: 6.1.5
old_sub_ca_rsa_mod_less_than_1024_bits In a validity period beginning on or before 31 dec 2010 and ending on or before 31 dec 2013, subordinate CA certificates using RSA public key algorithm must have 1024 bits of modulus CAB: 6.1.5
old_sub_cert_rsa_mod_less_than_1024_bits In a validity period ending on or before 31 dec 2013, subscriber certificates using RSA public key algorithm must have 1024 bits of modulus CAB: 6.1.5
path_len_constraint_improperly_included CAs MUST NOT include the pathLenConstraint field unless the CA boolean is asserted and the keyCertSign bit is set. RFC 5280: 4.2.1.9
path_len_constraint_zero_or_less Where it appears, the pathLenConstraint field must be greater than or equal to zero RFC 5280: 4.2.1.9
public_key_type_not_allowed Certificates must have RSA, DSA, or ECDSA public key type. CAB: 6.1.5
root_ca_basic_constraints_path_len_constraint_field_present Root CA certificate basicConstraint extension pathLenConstraint field should not be present CAB: 7.1.2.1
root_ca_contains_cert_policy Root CA certs SHOULD NOT contain the certificate policies extension. CAB: 7.1.2.1, 7.1.6.2
root_ca_extended_key_usage_present Root CA certificates must not have the extendedKeyUsage extension present CAB: 7.1.2.1
rsa_exp_negative “RSA public key exponent must be positive” (negative exponent found) -
rsa_mod_factors_smaller_than_752 The modulus of a RSA public key should have no factors smaller than 752 CAB: 6.1.6
rsa_mod_less_than_2048_bits in validity period beginning after 31 Dec 2010, all certificates using RSA public key algorithm must have 2048 bits of modulus CAB: 6.1.5
rsa_mod_not_odd The modulus of a RSA public key should be an odd number CAB: 6.1.6
rsa_public_exponent_not_in_range The RSA public exponent SHOULD be in the range between 2^16 + 1 and 2^256 - 1 CAB: 6.1.6
rsa_public_exponent_not_odd RSA public key has to be an odd number CAB: 6.1.5
rsa_public_exponent_too_small RSA public key has to be greater or equal to 3 CAB: 6.1.5
serial_number_longer_than_20_octets Certificates must not have a serial number longer than 20 octets RFC 5280: 4.1.2.2
serial_number_not_positive Certificates must have a positive serial number RFC 5280: 4.1.2.2
sub_ca_aia_does_not_contain_issuing_ca_url Subordinate CA certificates authorityInformationAccess extension should contain the HTTP URL of the Issuing CA’s certificate CAB: 7.1.2.2
sub_ca_aia_does_not_contain_oscp_URL Subordinate CA certificates authorityInformationAccess extension must contain the HTTP URL of the Issuing CA’s OCSP responder CAB: 7.1.2.2
sub_ca_aia_missing Subordinate CA certificates must have a authorityInformationAccess extension CAB: 7.1.2.2
sub_ca_certificate_policies_marked_critical Subordinate CA certificates certificatePolicies extension should not be marked as critical CAB: 7.1.2.2
sub_ca_certificate_policies_missing Subordinate CA certificates must have a certificatePolicies extension CAB: 7.1.2.2
sub_ca_crl_distribution_points_does_not_contain_url Subordinate CA certificates cRLDistributionPoints extension must contain the HTTP URL of the CA’s CRL service. CAB: 7.1.2.2
sub_ca_crl_distribution_points_marked_critical Subordinate CA certificates must not mark the cRLDistributionPoints extension as critical CAB: 7.1.2.2
sub_ca_crl_distribution_points_missing Subordinate CA certificates must have a cRLDistributionPoints extension CAB: 7.1.2.2
sub_ca_eku_critical Subordinate CA certificate extkeyUsage extension should be marked non-critical if present CAB: 7.1.2.2
sub_ca_name_constraints_not_critical Subordinate CA certificate nameConstraints extension should be marked critical if present CAB: 7.1.2.2
sub_ca_no_dns_name_contstraints Subordanate CA certs must include in the name contraints extension either premitted dns names or prohibit the empty DNS name. CAB: 7.1.5
sub_ca_no_ip_name_contstraints Subordanate CA certs must include in the name contraints extension either premitted ip ranges or prohibit all ip addresses. CAB: 7.1.5
sub_cert_aia_does_not_contain_issuing_CA_url Subscriber certificates authorityInformationAccess extension should contain the HTTP URL of the Issuing CA’s certificate CAB: 7.1.2.3
sub_cert_aia_does_not_contain_ocsp_URL Subscriber certificates authorityInformationAccess extension must contain the HTTP URL of the Issuing CA’s OCSP responder CAB: 7.1.2.3
sub_cert_aia_missing Subscriber certificates must have a authorityInformationAccess extension CAB: 7.1.2.3
sub_cert_certificate_policies_marked_critical Subscriber certificate certificatePolicies extension should not be marked critical CAB: 7.1.2.3
sub_cert_certificate_policies_missing Subscriber certificate must include the certificatePolicies extension CAB: 7.1.2.3
sub_cert_cert_policy_empty Subscriber certificates must contain at least one policy identifier that indicates adherance to CAB standards CAB: 7.1.6.4
sub_cert_crl_distribution_points_does_not_contain_url Subscriber certificate cRLDistributionPoints extension must contain the HTTP URL of the CA’s CRL service. CAB: 7.1.2.3
sub_cert_crl_distribution_points_marked_critical Subscriber certificate cRLDistributionPoints extension must not be marked critical if present CAB: 7.1.2.3
sub_cert_eku_extra_values Subscriber certificates should have only id-kp-serverAuth, id-kp-clientAuth, or id-kp-emailProtection in extKeyUsage. Anything should not be included. CAB: 7.1.2.3
sub_cert_eku_missing Subscriber certificates must have the extended key usage extension present CAB: 7.1.2.3
sub_cert_eku_server_auth_client_auth_missing Subscriber certificates must have have either id-kp-serverAuth or id-kp-clientAuth or both present in extKeyUsage CAB: 7.1.2.3
sub_cert_key_usage_cert_sign_bit_set Subscriber certificates keyUsage extension keyCertSign bit must not be set CAB: 7.1.2.3
sub_cert_key_usage_crl_sign_bit_set Subscriber certificates keyUsage extension cRLSign bit must not be set CAB: 7.1.2.3
sub_cert_or_sub_ca_using_sha1 Subscriber certificates and subordinate CA certificates must not use the SHA-1 hash algorithm on a certificate with a NotBefore date after 1 Jan 2016 CAB: 7.1.3
sub_cert_sha1_expiration_too_long Subscriber certificates using the SHA1 algorithm should not have an expiration date greater than 1 Jan 2017 CAB: 7.1.3
subject_common_name_disallowed If present Common name MUST contain a single IP address or Fully‐Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension CAB: 7.1.4.2.2
subject_common_name_included Use of the common name field is discouraged. CAB: 7.1.4.2.2
subject_common_name_not_from_san The common name field must include only names from the SAN extension. CAB: 7.1.4.2.2
subject_contains_noninformational_value Subject name fields must not contain ".","-"," " or any other indication that the field has been ommited. CAB: 7.1.4.2.2
subject_contains_reserved_ip Certs issued after 2012-07-01 and expireing after 2015-11-01 must not conatain a reserved ip address in the common name field. CAB: 7.1.4.2.1
subject_country_not_iso The country name field must contain the two-letter ISO code for the country or XX. CAB: 7.1.4.2.2
subject_empty_without_san CAs must include subject alternative name if the subject field is an empty sequence. RFC 5280: 4.2 & 4.2.1.6
subject_info_access_marked_critical Conforming CAs must mark the Subject Info Access extension as non-critical RFC 5280: 4.2.2.2
subject_locality_without_org The locality field must not be included without an organization name. CAB: 7.1.4.2.2
subject_org_without_country The organization name field must not be included without a country name. CAB: 7.1.4.2.2
subject_org_without_locality_or_province If organiation is included, either stateOrProvince or locality must be included. CAB: 7.1.4.2.2 (d&e)
subject_postal_without_org The postal code must not be included without an organization name. CAB: 7.1.4.2.2
subject_province_without_org The stateOrProvince name must not be included without an organization name. CAB: 7.1.4.2.2
subject_street_without_org The street address field must not be included without an organization name. CAB: 7.1.4.2.2
UTC_time_does_not_include_seconds UTCTime values must include seconds RFC 5280: 4.1.2.5.1
UTC_time_not_in_zulu UTCTime values must be expressed in Greenwich Mean Time (Zulu) RFC 5280: 4.1.2.5.1
validity_time_not_positive Certificates MUST have a positive time for which they are valid -
wrong_time_format_pre2050 Certificates with validity through the year 2049 must be encoded in UTC time RFC 5280: 4.1.2.5

The following is a list of lints we plan to implement in the future.

Lint Name Description Providence
br_contains_ulabel Warning thrown if commonNames in BR certificate contains U-labels -
br_san_wildcard_unknown Wildcard other than *. in SAN -
ca_valid_time_too_long CA certificates SHOULD NOT have a validity of greater than 25 years -
dir_name_empty Simply checks if the DirectoryName field is empty. No further tests are performed -
distng_name_bmp_string SHOULD NOT use deprecated BMPString -
distng_name_deprecated_attr Names SHOULD NOT have deprecated attribute (includes attribute normally) -
distng_name_dup_attr Names SHOULD NOT have multiple (attribute) attributes -
distng_name_general_string SHOULD NOT use deprecated GeneralString -
distng_name_graphic_string SHOULD NOT use deprecated GraphicString -
distng_name_invalid_label Tests to make sure the name contains a valid label -
distng_name_leading_whitespace SHOULD NOT have leading whitespace in attribute -
distng_name_multiple_attr_in_rdn SHOULD NOT have multiple attributes in a single RDN in the subject Name -
distng_name_not_ia5 SHOULD be encoded as IA5String -
distng_name_not_utf8 SHOULD be encoded as UF8String -
distng_name_teletex_string SHOULD NOT be using deprecated TeletexString -
distng_name_too_long Verifies the attribute is not too long => how long is too long? -
distng_name_trailing_whitespace SHOULD NOT have trailing whitespace in attribute -
distng_name_universal_string SHOULD NOT be using deprecated UniversalString -
distng_name_unknown_attr Name SHOULD NOT has unknown attribute (includes attribute normally) -
distng_name_unparsable Error thrown if unparsable name -
distng_name_videoex_string SHOULD NOT be using deprecated VideoexString -
dns_name_fqdn_too_long FQDN in DNSName must be less than 253 (bits?) -
dns_name_underscore_present DNS names SHOULD NOT have an underscore -
dns_name_wildcard_present Wildcards must not be FQDN of DNSName => how this is this different from line 5 -
dsa_param_not_empty “DSA signatures MUST NOT have a parameter specified” -
ec_infinite EC Public key is not infinity -
ec_no_parameters_included “EC keys must have parameters” (no parameters were included) -
ec_off_curve EC Public key MUST be on curve -
edi_part_name_missing Simply checks if the EDIPartyName field is present. No further tests are performed. -
eku_extra_usage Extended Key Usage should pertain only to TLS Web Server Authentication, TLS Web Client Authentication, and E-mail Protection. Everything else is a warning -
encode_not_der The certificate SHOULD be encoded in the DER format. -
ext_explicit_false critical:FALSE explicitly encoded (X.690) -
ext_san_placed_first Some python versions will not see SAN extension if it is the first extension -
ext_unknown Any unknown extension causes an error => what's unknown? is there a list?? -
ext_unknown_crit Any unknown or opaque extension that is marked as critical causes an error -
ext_unsupported Any extension from Netscape, Microsoft, or just unsupported is marked as opaque -
iana_base_domain_underscore SHOULD NOT contain underscore in base domain -
iana_domain_not_qualified MUST have qualified domain name -
iana_special SHOULD NOT be special name => what's a special name? -
iana_tld_type_unknown MUST have known type of TLD -
iana_tld_unknown MUST have known tld from list -
pre_br_valid_too_long Pre-BR certificates should not be more than 120 months in validity -
registered_id_empty Simply checks if the RegisteredID field is filled. No further tests are performed. -
rfc822_name_empty_value Checks to verify the validity of a RFC822 name field. Checking for empty value -
rfc822_name_invalid_padding Checks to verify the validity of a RFC822 name field. Checking for invalid padding -
rfc822_name_null_char Checks to verify the validity of a RFC822 name field. Checking for null character -
rsa_mod_is_negative “RSA public key modulus must be positive” (negative modulus found) -
rsa_no_null_param RSA keys must have a null parameter, this was missing -
rsa_no_param “RSA keys must have a parameter specified” (no rsa parameter) -
signature_algorithm_pss_not_supported Checks if the signature algorithm is RSA Probabilistic Signature Scheme. This is not supported by most browsers -
signature_algorithm_weak Compares chosen signature algorithm to list containing algs and their corresponding strength. A ‘weak’ alg should have at least 64 bits on entropy. A ‘good’ alg should have at least 20 bits -
string_contains_null If a null byte was found in a String (UTF8, Teletex, Videotex, Graphic, General) in a certificate element this error is thrown. UTF8 currently returns a separate error for this same error, condensed here. -
string_control_char_found A control character found in a String (IA5, Visible) in a certificate element will throw this error -
string_teletext_encoded_incorrectly Teletex strings found in a certificate element should be correctly encoded. -
string_utf8_encoded_incorrectly If an incorrectly encoded UTF8String is found, fatal error. This means that an element in the certificate failed: value.force_encoding('UTF-8').valid_encoding -
uid_client_not_empty clientUniqueID must not be included -
uid_issuer_not_empty issuerUniqueID must not be included -
uri_field_empty Simply checks if the URI field is present. No further tests are performed. -
x400_name_empty Fails if a x400 address field is empty. No further tests are performed. -
Clone this wiki locally