As mentioned before, to lint X.509 certificates, CRLs, and OCSP responses according to RFCs and CA/B Forum requirements, the ADSS Server integrates PKI Lint and ZLint tools within the External Script Linter module. Here, we will explain the installation and configuration of both the tools with ADSS Server.  


Installation of PKILINT v3.6.3

The configuration steps of PKlLint tool with ADSS Server are explained below:

  1. First of all, Python is required for installing PKILint to your system. Therefore, navigate to the link below and download the latest version of Python: 
    https://www.python.org/downloads/
  2. Next, we need to set the environment variables if they haven't been configured already. To do this, open the System Environment Variables by searching for it in the Windows menu.
  3. Click on the Environment Variables button.
  4. Select Path under User variables and click on the Edit button.
  5. Click on the New button and add the below path: 
    C:\Users\{username}\AppData\Local\Programs\Python\Python312
  6. Once done, click on the Ok button. 
  7. Now select Path System variables and click on the Edit button
  8. Click on the New button and add the below paths: 
    C:\Users\{username}\AppData\Local\Programs\Python\Python312
    C:\Users\{username}\AppData\Local\Programs\Python\Python312\Scripts
  9. Once done, click on the Ok button. 
  10. Once Python is installed and environment variables are set, we will need to download Pipx for both Linux and Windows.
  11. To download Pipx for Linux, execute the below commands: 


  1. To download Pipx for Windows, we first need to download Scoop. To download Scoop, open PowerShell terminal and execute the below commands:
    • Once Scoop is downloaded for Windows, we will execute the below command in the PowerShell terminal:


  1. Afterwards, we will execute the below command in PowerShell to install PKILINT:
  2. Once PKILint is installed, we will run our required command in the CMD to conclude PKILint installation. For instance if we want to lint a certificate, then we will execute the below command in Command Prompt providing the certificate path at the end: 


  1. For more details regarding PKILINT, refer to the link below:
    https://github.com/digicert/pkilint 



Installation of ZLINT v0.11.3

The configuration steps of ZLINT tool with ADSS Server are explained below:

  1. First of all, we need to Download GO for both Windows and Linux by navigating to the link below: 
    https://go.dev/doc/install
  2. To download the Go for Windows, follow the instructions below: 
    • Open the MSI file you downloaded and follow the prompts to install Go
    • Verify that you've installed Go:
      • In Windows, click the Start menu.
      • In the menu's search box, type cmd, then press the Enter key.
      • In the Command Prompt window that appears, type the following command:


      • Confirm that the command prints the installed version of Go.
  1. To download the Go for Linux, follow the instructions below: 
    • Remove any previous Go installation by deleting the /usr/local/go folder (if it exists), then extract the archive you just downloaded into /usr/local, creating a fresh Go tree in /usr/local/go:


    • Add /usr/local/go/bin to the PATH environment variable.
      You can do this by adding the following line to your $HOME/.profile or /etc/profile (for a system-wide installation):


    • Verify that you've installed Go by opening a command prompt and typing the following command:


    • Confirm that the command prints the installed version of Go.

  1. Once Go is downloaded for both Windows and Linux by following the above steps, execute the below command in CMD to conclude ZLint installation:


  1. For more details regarding ZLINT, refer to the link below:
    https://github.com/zmap/zlint


Configuration on ADSS Server Console

Once both the linting tools i.e. PKILINT and ZLINT are installed on our system, then we can integrate these tools with ADSS Server by configuring them on ADSS Server Console. The configuration steps are explained as below:

  1. Navigate to Global Settings > External Script Linter 
  2. Create a new Linting Tool profile by clicking on the (+) icon.
  3. Clicking on the icon displays the following screen: 



  4. Fill in the required information in the above screen and click on the Next (>) tab. 
  5. For ZLINT, the user can set multiple script commands to validate Certificates and CRLs. These include: 
    • Certificates:
      • For CA/B Forum Baseline Requirement for TLS and Code Signing: 
        zlint -format pem -includeSources CABF_BR %INPUT%
      • For CA/B Forum EV Certificates: 
        zlint -format pem -includeSources CABF_EV %INPUT%
      • For CA/B Forum SMIME: 
        zlint -format pem -includeSources CABF_SMIME_BR %INPUT%
      • For validating against RFC5280 (All Certificates): 
        zlint -format pem -includeSources RFC5280 %INPUT%
    • For CRLs, use below command:
      zlint -format pem -includeSources RFC5280 %INPUT%
      Note:The '-format' can be 'pem', 'der' or 'base64'.
  1. Use one of the script command from above and perform required configurations for ZLINT as mentioned on the screen below: 

     
  2. For PKILINT, the user can set multiple script commands to validate Certificates and CRLs. These include: 
    • Certificates:
      • For EV and Non-TLS Server CA/B Forum: 
        lint_cabf_serverauth_cert lint -f JSON -d %INPUT%
      • For SMIME according to CA/B Forum: 
        lint_cabf_smime_cert lint -f JSON -d %INPUT%
      • For all other certificates: 
        lint_pkix_cert lint -f JSON %INPUT%
    • For CRLs according to: 
      • RFC5280:
        lint_crl lint -t CRL -p PKIX -f JSON %INPUT%
      • CA/B Forum:
        lint_crl lint -t CRL -p BR -f JSON %INPUT 
    • OCSP Response Lint according to RFC6960, use below command:
      lint_ocsp_response lint -f JSON %INPUT%
  1. Use one of the script command from above and perform required configurations for PKILINT as mentioned on the screen below: 



Known Limitations

Here are the known limitations of Linting tools that the user must consider:

  • Both ZLINT and PKILINT tools only accept input in file format and do not support plain text input.
  • ZLINT can lint CRLs only if the Input Encoding is set to PEM. It returns an error if the input is in DER or BASE64 format.
  • ZLINT supports linting exclusively for ECDSA keys using the NIST_P curve type and does not support linting for SEC2_K, BRAINPOOL_R, or BRAINPOOL_T curves.
  • ZLINT does not lint the OCSP Responses.
  • PKILint returns an exit code of 1 even when linting is successful. Therefore, when configuring PKILint in the ADSS Server, make sure to keep the "Fail script if exit code is 1 or above" flag disabled.