.png){kind=logo}
Validation CLI Interface
A Java CLI tool can be used to check the validity of a certificate from scripts. The tool supports a clustered SignServer installation using the "Use first host that response OK" policy.
When compiling, make sure that validationclient.enabled is set to true in the build properties. The client is lib/SignServer-Client-ValidationCLI.jar.
Use the client with:
bin/signclient validatecertificate <options>The following options are available:
Required | Description |
|---|---|
-cert <cert-file> | Path to certificate file (DER or PEM). Required. |
-hosts <hosts> | A comma-separated string containing the hostnames of the validation service nodes. For example, 'host1.someorg.org,host2.someorg.org'. Required. |
-service <service-name> | The name or ID of the validation service to process request. Required. |
Optional | Description |
-certpurposes <certpurposes> | A comma-separated string containing requested certificate purposes. |
-der | Certificate is in DER format. |
-help | Displays this information. |
-pem | Certificate is in PEM format. (Default) |
-port <port> | Remote port of service. (Default is 8080 or 8442 for SSL) |
-silent | Does not produce any output. Only returns a value. |
-truststore <jks-file> | Path to JKS truststore containing trusted CA for SSL Server certificates.(for HTTPS connections) |
-truststorepwd <password> | Path to JKS truststore containing trusted CA for SSL Server certificates.(for HTTPS connections) |
The following return values are used:
-2 : Error happened during execution
-1 : Bad arguments
0 : Certificate is valid
1 : Certificate is revoked
2 : Certificate is not yet valid
3 : Certificate has expired
4 : Certificate does not verify
5 : CA Certificate has been revoked
6 : CA Certificate is not yet valid
7 : CA Certificate has expired
8 : Certificate has no valid certificate purpose